FYI - FBI creates new senior-level data scientist position, calls for applicants - The FBI is looking for candidates to fill its brand-new position of senior-level data scientist, a role that requires specialization in big-data analytics and whose responsibilities include serving as a top advisor and consultant to senior FBI management, including Cyber Division executives. http://www.scmagazine.com/fbi-creates-new-senior-level-data-scientist-position-calls-for-applicants/article/512542/

FYI - Auto Industry ISAC Releases Best Practices For Connected Vehicle Cybersecurity - Goal is to provide car manufactures with guidelines for protecting modern vehicles against emerging cyber threats - The Automotive Information Sharing and Analysis Center (Auto-ISAC) has released a set of cybersecurity best practices for connected vehicles. http://www.darkreading.com/vulnerabilities---threats/auto-industry-isac-releases-best-practices-for-connected-vehicle-cybersecurity/d/d-id/1326347?

FYI - Utilities look back to the future for hands-on cyberdefense - The aftermath of the cyberattack in Ukraine on Dec. 23, 2015, produced two unexpected lessons that U.S. grid operators have started to take to heart. http://www.eenews.net/special_reports/the_hack

FYI - Cyber workforce goes beyond 'coders at the keyboard' - The White House's top cyber official hopes to see more than just your typical cybersecurity experts hired in the next year. http://fedscoop.com/cybersecurity-workforce-strategy-michael-daniel-trevor-rudolph-2016

FYI - 69% of email attacks with malicious attachments in Q2 contained Locky - The first five months of 2016 were dominated by malicious email campaigns, the quick emergence of new ransomware variants, one of the largest botnets in the world went dark, and the Angler exploit kit (EK) went silent - all leading to a strangely quiet June. http://www.scmagazine.com/69-of-email-attacks-with-malicious-attachments-in-q2-contained-locky/article/512074/

FYI - Former Citibank employee sentenced for shutting down 90% of firm's network - A former Citibank employee was sentenced to 21 months in prison after wiping routers and shutting down 90 percent of the firm's network access across North America. http://www.scmagazine.com/former-citibank-employee-sentenced-to-21-months-for-wiping-firms-routers/article/512543/

FYI - O2 customers' details sold on darkweb - The details of O2 customers have been found being sold on the dark web. http://www.scmagazine.com/o2-customers-details-sold-on-darkweb/article/512093/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - The Library of Congress computer systems have returned to normal after facing a four-day long cyber attack. Library Director of Communications Gayle Osterberg would not comment about the origin of the attack, but praised the IT department's efforts to keep the agency afloat. The attack began Sunday and caused intermittent outages of service for websites and agencies under the Library’s umbrella, including the U.S. Copyright Office. http://thehill.com/policy/cybersecurity/288564-after-3-day-cyberattack-library-of-congress-returning-to-normal

FYI - Cici’s Pizza: Card Breach at 130+ Locations - Cici’s Pizza, a Coppell, Texas-based fast-casual restaurant chain, today acknowledged a credit card breach at more than 135 locations. http://krebsonsecurity.com/2016/07/cicis-pizza-card-breach-at-130-locations/

FYI - 2.3 million 'Warframe,' 'Clash of Kings' accounts compromised - More than 2.3 million user records were compromised as two separate gaming companies announced they suffered data breaches. http://www.scmagazine.com/23-million-gaming-accounts-compromised-in-two-breaches/article/511384/

FYI - TSA master key hackers expose dangers of physical and digital key escrow policies - The hackers responsible for reproducing seven master keys used by the Transportation Safety Administration (TSA) to open locks commonly placed on luggage have now been able to duplicate an eighth key. http://www.scmagazine.com/tsa-master-key-hackers-expose-dangers-of-physical-and-digital-key-escrow-policies/article/511685/

FYI - Fake Tinder sites lure users to give up financial info - In the UK, 41 percent of online daters have been spammed or scammed when using online dating services. http://www.scmagazine.com/fake-tinder-sites-lure-users-to-give-up-financial-info/article/511505/

FYI - Possible breach at GunMag Warehouse - A third-party provider is being blamed for a possible breach into customer transactions at GunMag Warehouse. http://www.scmagazine.com/possible-breach-at-gunmag-warehouse/article/511780/

FYI - 'KeySniffer' attack allows wireless keyboard eavesdropping - Bastille researchers spotted a “KeySniffer” vulnerability affecting wireless keyboards from at least eight manufacturers, that could allow an attacker to eavesdrop and record a victim's keystrokes from hundreds of feet away. http://www.scmagazine.com/researchers-spotted-an-eavesdropping-vulnerability-in-several-wireless-keyboards/article/511953/

FYI - Kimpton Hotels investigates potential payment card breach - Boutique hotel chain, Kimpton Hotels is investigating a potential payment card breach at several of its locations across the U.S. http://www.scmagazine.com/possible-payment-card-breach-affecting-kimpton-hotels/article/511980/

FYI - Athens Orthopedic Clinic reports patient data breach - The Athens Orthopedic Clinic (AOC) in Georgia is notifying patients of a data breach that compromised the personal information of current and former patients. http://www.scmagazine.com/georgia-orthopedic-clinic-patient-compromised-in-breach/article/512120/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 
 
 When assessing information security products, management should be aware that many products offer a combination of risk assessment features, and can cover single or multiple operating systems. Several organizations provide independent assessments and certifications of the adequacy of computer security products (e.g., firewalls). While the underlying product may be certified, banks should realize that the manner in which the products are configured and ultimately used is an integral part of the products' effectiveness. If relying on the certification, banks should understand the certification process used by the organization certifying the security product. Other examples of items to consider in the risk assessment process include:
 
 1) Identifying mission-critical information systems, and determining the effectiveness of current information security programs. For example, a vulnerability might involve critical systems that are not reasonably isolated from the Internet and external access via modem. Having up-to-date inventory listings of hardware and software, as well as system topologies, is important in this process.
 
 2) Assessing the importance and sensitivity of information and the likelihood of outside break-ins (e.g., by hackers) and insider misuse of information. For example, if a large depositor list were made public, that disclosure could expose the bank to reputational risk and the potential loss of deposits. Further, the institution could be harmed if human resource data (e.g., salaries and personnel files) were made public. The assessment should identify systems that allow the transfer of funds, other assets, or sensitive data/confidential information, and review the appropriateness of access controls and other security policy settings. 
 
 3) Assessing the risks posed by electronic connections with business partners. The other entity may have poor access controls that could potentially lead to an indirect compromise of the bank's system. Another example involves vendors that may be allowed to access the bank's system without proper security safeguards, such as firewalls. This could result in open access to critical information that the vendor may have "no need to know."
 
 4) Determining legal implications and contingent liability concerns associated with any of the above. For example, if hackers successfully access a bank's system and use it to subsequently attack others, the bank may be liable for damages incurred by the party that is attacked.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.
 
 Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts.  Network administrators implement the policies, standards, and procedures in their day-to-day operational role.
 
 Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 11 - PREPARING FOR CONTINGENCIES AND DISASTERS
 
 11.4.3 Automated Applications and Data
 
 Normally, the primary contingency strategy for applications and data is regular backup and secure offsite storage. Important decisions to be addressed include how often the backup is performed, how often it is stored off-site, and how it is transported (to storage, to an alternate processing site, or to support the resumption of normal operations).
 
 The need for computer security does not go away when an organization is processing in a contingency mode. In some cases, the need may increase due to sharing processing facilities, concentrating resources in fewer sites, or using additional contractors and consultants. Security should be an important consideration when selecting contingency strategies.
 
 11.4.4 Computer-Based Services
 
 Service providers may offer contingency services. Voice communications carriers often can reroute calls (transparently to the user) to a new location. Data communications carriers can also reroute traffic. Hot sites are usually capable of receiving data and voice communications. If one service provider is down, it may be possible to use another. However, the type of communications carrier lost, either local or long distance, is important. Local voice service may be carried on cellular. Local data communications, especially for large volumes, is normally more difficult. In addition, resuming normal operations may require another rerouting of communications services.
 
 11.4.5 Physical Infrastructure
 
 Hot sites and cold sites may also offer office space in addition to processing capability support. Other types of contractual arrangements can be made for office space, security services, furniture, and more in the event of a contingency. If the contingency plan calls for moving offsite, procedures need to be developed to ensure a smooth transition back to the primary operating facility or to a new facility. Protection of the physical infrastructure is normally an important part of the emergency response plan, such as use of fire extinguishers or protecting equipment from water damage.
 
 11.4.6 Documents and Papers
 
 The primary contingency strategy is usually backup onto magnetic, optical, microfiche, paper, or other medium and offsite storage. Paper documents are generally harder to backup than electronic ones. A supply of forms and other needed papers can be stored offsite.