FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Former Georgia-Pacific sysadmin charged with damaging protected computers - Following his indictment last week by a federal grand jury, a Louisiana man was arrested on Wednesday to face charges of intentionally damaging protected computers belonging to his former employer. http://www.scmagazine.com/louisiana-man-arrested-for-damaging-employers-computers/article/424513/

FYI - Hackers had access to security clearance data for a year - Hackers who breached a database containing highly personal information on government employees with security clearances had access to the system for about a year before being discovered, The Washington Post reported on Friday. http://www.computerworld.com/article/2938654/cybercrime-hacking/hackers-had-access-to-security-clearance-data-for-a-year.html

FYI - OPM Breach Notification Frustrates Hacked Feds - Some victims of the massive hack of federal personnel records expressed fear their privacy might be violated by fraud protection services the government has outsourced to private companies. http://www.nextgov.com/cybersecurity/2015/06/opm-breach-notification-frustrates-hacked-feds/115882/

FYI - Pentagon seeks to hold its IT users more accountable for cyber missteps - The Defense Department has no shortage of regulations designed to encourage and enforce good cybersecurity behavior on its own networks. http://federalnewsradio.com/defense/2015/06/pentagon-seeks-to-hold-its-it-users-more-accountable-for-cyber-missteps/

FYI - Only 27 percent of flaws found in gov't applications fixed - After breaking down application security trends by industry, a security firm found that the government sector ranked lowest in remediating known vulnerabilities. http://www.scmagazine.com/govt-sector-ranks-lowest-in-remediating-vulnerabilities-study-says/article/424861/

FYI - Nearly all Japanese pension system files kept unprotected pre-breach - An investigation into the compromising of Japan's national pension system found that 99 percent of the accessed files were without any sort of password protection. http://www.scmagazine.com/no-passwords-used-in-japanese-pension-system/article/424868/

FYI - FBI updates Most Wanted cyber felons list, offers US$4.2m bounties - Zeus creator has $3m on his head, may be boating on the Black Sea - The mastermind of the Zeus trojan; a car scamming screwball; an identity thief; a malvertiser, and a keylogger monger: nail these five net crims to the wall and the FBI will pay you US$4.2 million. http://www.theregister.co.uk/2015/07/02/42m_for_five_hacker_heads/

FYI - GAO - Information Security: Cyber Threats and Data Breaches Illustrate Need for Stronger Controls across Federal Agencies - http://www.gao.gov/products/GAO-15-758T

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Harvard University announces network intrusion, possible data exposure - Harvard University announced that on June 19 an intrusion was discovered on the Faculty of Arts and Sciences (FAS) and Central Administration information technology networks, and that Harvard login credentials may have been exposed. http://www.scmagazine.com/harvard-login-credentials-may-have-been-exposed-in-breach/article/424500/

FYI - Skimmer on Santander Bank ATM vestibule door leads to fraud - Following the May 4 discovery of suspicious ATM withdrawals that occurred the day prior, Santander Bank determined that a magnetic stripe skimming device had been placed on the ATM vestibule door at its Woburn, Mass., branch on 19 Pleasant St. http://www.scmagazine.com/skimmer-on-santander-bank-atm-vestibule-door-leads-to-fraud/article/424347/

FYI - FireKeepers confirms breach, says about 85,000 cards and other info are at risk - Following a May announcement that it was replacing point-of-sale (POS) devices while investigating a potential breach, Michigan-based FireKeepers Casino Hotel confirmed Friday that unauthorized access was gained to its computer systems and personal information – as well as payment card data – may have been compromised. http://www.scmagazine.com/firekeepers-casino-notifies-guests-of-breach-possible-data-compromise/article/424830/

FYI - Hacking Team hacked; leaked documents confirm sale of software to Sudan and Ethiopia - An unknown number of hackers accessed and posted at least 400 GB of the “offensive technology” manufacturer Hacking Team's internal documents, emails, slideshow presentations, and more, on Sunday evening. http://www.scmagazine.com/hacking-team-systems-breached-and-docs-posted-online/article/424860/

FYI - Orlando Health employee improperly accesses patient medical records - Orlando Health announced that a former nursing assistant accessed about 3,200 patient medical records outside of their normal job responsibilities. http://www.scmagazine.com/orlando-health-employee-improperly-accesses-patient-medical-records/article/425120/

FYI - NYSE says trading halted due to 'technical issue,' not breach - Trading on the New York Stock Exchange (NYSE) came to a halt Wednesday.
http://www.scmagazine.com/glitch-brings-nyse-to-a-halt/article/425349/
http://www.scmagazine.com/nyse-provides-additional-info-on-recent-trade-halting-configuration-issue/article/425615/

FYI - Computer glitch grounds all United Airlines flights - A glitch in the computer software that manages United Airlines's automated operations brought the airline's flights to a screeching halt - temporarily - Wednesday morning. http://www.scmagazine.com/united-airlines-grounded-nearly-5k-flights-due-to-computer-glitch/article/425342/

FYI - Foreign hackers briefly commandeer German missile systems - A German missile system was reportedly hacked and taken over by unknown foreign attackers who executed “unexplained commands.” http://www.scmagazine.com/patriot-missile-system-vulnerable-to-cyber-attack/article/425609/

FYI - Detroit Zoo, eight others across the county experience POS breach - The Detroit Zoo along with eight other zoos across the country announced that Service Systems Associates (SSA), a third party vendor that handles retail and concession payments, experienced a point-of-sale (POS) breach that affected customers between March 23 and June 25 of this year. http://www.scmagazine.com/pos-breach-at-detroit-zoo-and-eight-other-zoos-nationwide/article/425607/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)
 
 Service Provider Oversight
 
 Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.
 
 Summary
 
 The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Logical Access Controls 
 
 A primary concern in controlling system access is the safeguarding of user IDs and passwords.  The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism. 
 
 The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder. 
 
 Security Flaws and Bugs / Active Content Languages 
 
 Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications. 
 
 Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.  
 
 Viruses / Malicious Programs 
 
 Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.6 Protection Against Risks from Non-HGA Computer Systems

HGA relies on systems and components that it cannot control directly because they are owned by other organizations. HGA has developed a policy to avoid undue risk in such situations. The policy states that system components controlled and operated by organizations other than HGA may not be used to process, store, or transmit HGA information without obtaining explicit permission from the application owner and the COG Manager. Permission to use such system components may not be granted without written commitment from the controlling organization that HGA's information will be safeguarded commensurate with its value, as designated by HGA. This policy is somewhat mitigated by the fact that HGA has developed an issue-specific policy on the use of the Internet, which allows for its use for e-mail with outside organizations and access to other resources (but not for transmission of HGA's proprietary data).

20.5 Vulnerabilities Reported by the Risk Assessment Team

The risk assessment team found that many of the risks to which HGA is exposed stem from (1) the failure of individuals to comply with established policies and procedures or (2) the use of automated mechanisms whose assurance is questionable because of the ways they have been developed, tested, implemented, used, or maintained. The team also identified specific vulnerabilities in HGA's policies and procedures for protecting against payroll fraud and errors, interruption of operations, disclosure and brokering of confidential information, and unauthorized access to data by outsiders.