FYI - How companies that buy cyber liability insurance can ensure they’re really insured - Security breaches have become one of IT organizations’ biggest headaches, and the pain just keeps getting worse. The average cost of a data breach last year reached $3.86 million, up 6.4 percent from the year before, according to a study by IBM and the Ponemon Institute. https://www.scmagazine.com/home/opinion/executive-insight/how-companies-that-buy-cyber-liability-insurance-can-ensure-theyre-really-insured/

Data breach cost rises to $4 million per incident; U.S. victims hit even harder - The incurred cost of being hit with a data breach for small and large corporations rose by double digits over the last five years to almost $4 million per breach. https://www.scmagazine.com/home/security-news/data-breach/data-breach-cost-rises-to-4-million-per-incident-u-s-victims-hit-even-harder/

Disruption Response Plans - Governors must now be prepared to respond to the growing threat of cyberattacks. States and territories count on experienced teams of public safety and emergency management (EM) professionals to prepare for, respond to and recover from natural and human-made disasters. http://www.nga.org/wp-content/uploads/2019/04/IssueBrief_MG.pdf

Coats taps 2018 midterms crisis manager for new election threats exec position - Director of National Intelligence (DNI) Dan Coats Friday named Shelby Pierson, the agency’s election security crisis manager during the 2018 midterms, to the newly created Intelligence Community (IC) Election Threats Executive (ETE) position. https://www.scmagazine.com/home/security-news/government-and-defense/election-coverage/coats-taps-2018-midterms-crisis-manager-for-new-election-threats-exec-position/

GAO - Improvements Are Needed to Enhance the Internal Revenue Service's Information System Security Controls. https://www.gao.gov/products/GAO-19-474R?utm_campaign=usgao_email&utm_content=topci_infosec&utm_medium=email&utm_source=govdelivery

GAO office audit finds more vulnerabilities at IRS - An annual Government Accountability Office (GAO) audit has found more security vulnerabilities at the Internal Revenue Service (IRS) and has made more security recommendations to solve the problems. https://www.scmagazine.com/home/security-news/vulnerabilities/an-annual-government-accountability-office-gao-audit-has-found-more-security-vulnerabilities-in-the-internal-revenue-service-irs-it-systems/

Kazakhstan government is now intercepting all HTTPS traffic - Kazakh government first wanted to intercept all HTTPS traffic way back in 2016, but they backed off after several lawsuits. https://www.zdnet.com/article/kazakhstan-government-is-now-intercepting-all-https-traffic/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bulgaria hack: 20-year-old infosec whizz cuffed after 'adult population's' finance deets nicked - Bosses stick up for suspect, claim he's being framed for pinching 5m folks' data - A 20-year-old infosec bod has been arrested in Bulgaria after most of the country's population had their personal and financial details stolen. https://www.theregister.co.uk/2019/07/18/bulgaria_financial_hack_arrest_5m_records_accessed/

Cloud-hosting firm iNSYNQ shut down by MegaCortex ransomware - The QuickBooks cloud-hosting firm iNSYNQ is still in recovery mode after being hit with a MegaCortex ransomware attack that forced it offline last week and the company expects it to take at least several more days to get all its customers back online. https://www.scmagazine.com/home/security-news/ransomware/cloud-hosting-firm-insynq-shut-down-by-megacortex-ransomware/

Hackers leak documents stolen from contractor for Russian intel agency - Hackers reportedly stole 7.5 TB of data from a contractor for the Russian intelligence service FSB, and revealed details on several of its activities or prospective projects, including the collecting of information on users of social media services, Tor and P2P networks. https://www.scmagazine.com/home/security-news/hackers-leak-documents-stolen-from-contractor-for-russian-intel-agency/

Ellucian systems breached at 62 universities, Education Dept. says - Hackers compromised student information systems at 62 universities through a vulnerability in a common software platform, the Department of Education has warned in a security alert. https://edscoop.com/ellucian-banner-cyberattacks-62-universities/

QuickBooks Cloud Hosting Firm iNSYNQ Hit in Ransomware Attack - Cloud hosting provider iNSYNQ says it is trying to recover from a ransomware attack that shut down its network and has left customers unable to access their accounting data for the past three days. https://krebsonsecurity.com/2019/07/quickbooks-cloud-hosting-firm-insynq-hit-in-ransomware-attack/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Sound Security Control Practices for E-Banking
   
   1. Security profiles should be created and maintained and specific authorization privileges assigned to all users of e-banking systems and applications, including all customers, internal bank users and outsourced service providers. Logical access controls should also be designed to support proper segregation of duties.
   
   2. E-banking data and systems should be classified according to their sensitivity and importance and protected accordingly. Appropriate mechanisms, such as encryption, access control and data recovery plans should be used to protect all sensitive and high-risk e-banking systems, servers, databases and applications.
   
   3. Storage of sensitive or high-risk data on the organization's desktop and laptop systems should be minimized and properly protected by encryption, access control and data recovery plans.
   
   4. Sufficient physical controls should be in place to deter unauthorized access to all critical e-banking systems, servers, databases and applications.
   
   5. Appropriate techniques should be employed to mitigate external threats to e-banking systems, including the use of:
   
   a)  Virus-scanning software at all critical entry points (e.g. remote access servers, e-mail proxy servers) and on each desktop system.
   b)  Intrusion detection software and other security assessment tools to periodically probe networks, servers and firewalls for weaknesses and/or violations of security policies and controls.
   c)  Penetration testing of internal and external networks.
   
   6. A rigorous security review process should be applied to all employees and service providers holding sensitive positions.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION - DATA CENTER SECURITY
  
  When selecting a site for the most important information systems components, one major objective is to limit the risk of exposure from internal and external sources. The selection process should include a review of the surrounding area to determine if it is relatively safe from exposure to fire, flood, explosion, or similar environmental hazards. Outside intruders can be deterred through the use of guards, fences, barriers, surveillance equipment, or other similar devices. Since access to key information system hardware and software should be limited, doors and windows must be secure. Additionally, the location should not be identified or advertised by signage or other indicators.
  
  Detection devices, where applicable, should be utilized to prevent theft and safeguard the equipment. They should provide continuous coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent forensics. The alarm capability is only useful when a response will occur. Some intruder detection devices available include:
  
  ! Switches that activate an alarm when an electrical circuit is broken;
  ! Light and laser beams, ultraviolet beams and sound or vibration detectors that are invisible to the intruder, and ultrasonic and radar devices that detect movement in a room; and
  ! Closed-circuit television that allows visual observation and recording of actions.
  
  Risks from environmental threats can be addressed somewhat through devices such as halon gas, smoke alarms, raised flooring, heat sensors, and the like.
  
  Physical security devices frequently need preventive maintenance to function properly. Maintenance logs are one control the institution can use to determine whether the devices are appropriately maintained. Periodic testing of the devices provides assurance that they are operating correctly.
  
  Security guards should be properly instructed about their duties. The employees who access secured areas should have proper identification and authorization to enter the area. All visitors should sign in and wear proper IDs so that they can be identified easily. Security guards should be trained to restrict the removal of assets from the premises and to record the identity of anyone removing assets. Consideration should be given to implementing a specific and formal authorization process for the removal of hardware and software from premises.
  
  The following security zones should have access restricted to a need basis:
  
  ! Operations center
  ! Uninterrupted power supply
  ! Telecommunications equipment
  ! Media library
  
  CABINET AND VAULT SECURITY
  
  Protective containers are designed to meet either fire-resistant or burglar-resistant standards. Labels describing expected tolerance levels are usually attached to safes and vault doors. An institution should select the tolerance level based on the sensitivity and importance of the information being protected.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.3 Protection Against Interruption of Operations  (2 of 2)

Division Contingency Planning

HGA's divisions also must develop and maintain their own contingency plans. The plans must identify critical business functions, the system resources and applications on which they depend, and the maximum acceptable periods of interruption that these functions can tolerate without significant reduction in HGA's ability to fulfill its mission. The head of each division is responsible for ensuring that the division's contingency plan and associated support activities are adequate.

For each major application used by multiple divisions, a chief of a single division must be designated as the application owner. The designated official (supported by his or her staff) is responsible for addressing that application in the contingency plan and for coordinating with other divisions that use the application.

If a division relies exclusively on computer resources maintained by COG (Computer Operations Group) (e.g., the LAN), it need not duplicate COG's contingency plan, but is responsible for reviewing the adequacy of that plan. If COG's plan does not adequately address the division's needs, the division must communicate its concerns to the COG Director. In either situation, the division must make known the criticality of its applications to the COG. If the division relies on computer resources or services that are not provided by COG, the division is responsible for (1) developing its own contingency plan or (2) ensuring that the contingency plans of other organizations (e.g., the WAN service provider) provide adequate protection against service disruptions.