FYI - Not every insider threat is malicious, but all are dangerous - As companies fall victim to increased insider threats, one of the greatest casualties has become trust in coworkers. https://www.scmagazine.com/home/security-news/not-every-insider-threat-is-malicious-but-all-are-dangerous/

Lessons learned: Can education solve cybersecurity’s “people” problem? - In 2017, an admin at Deloitte disabled multi-factor authentication on their own account, opening a path to a major breach; quite an embarrassment for a Big Four cybersecurity consultancy. https://www.scmagazine.com/home/opinion/executive-insight/lessons-learned-can-education-solve-cybersecuritys-people-problem/

Over 200M devices affected by critical flaws found in real-time operating system - VxWorks, a real-time operating system (RTOS) that runs on more than 2 billion devices — many in industrial, health-care and enterprise environments — has been found to contain 11 vulnerabilities, six of which are critical flaws that enable remote code execution. Around 200 million devices are running the vulnerable versions of the RTOS, according to researchers. https://www.scmagazine.com/home/security-news/vulnerabilities/over-2b-devices-affected-by-critical-flaws-found-in-real-time-operating-system/

Capital One breach exposes not just data, but dangers of cloud misconfigurations - The massive Capital One data breach that compromised the personal information of 100 million credit card customers and applicants serves as a stark reminder that misconfigurations and malicious insiders can defeat the most well-intentioned cyber defenses, even when companies rely on a third-party cloud service to securely manage their data. https://www.scmagazine.com/home/security-news/capital-one-breach-exposes-not-just-data-but-dangers-of-cloud-misconfigurations/

DHS warns small aircraft are vulnerable to cyberattacks from those with physical access - The Department of Homeland Security (DHS) issued a warning that small aircraft can easily be hacked by threat actors who have physical access to the vehicles. https://www.scmagazine.com/home/security-news/vulnerabilities/the-department-of-homeland-security-dhs-issued-a-warning-that-small-aircraft-can-easily-be-hacked-by-threat-actors-with-physical-access-to-the-vehicles/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Louisiana declares state of emergency after cyberattacks hit three school districts - In what is a first for Louisiana, its governor has declared a state of emergency after three school systems in the state were hit with cyberattacks. https://www.scmagazine.com/home/security-news/government-and-defense/louisiana-declares-state-of-emergency-after-cyberattacks-hit-three-school-districts/

Ransomware incident leaves some Johannesburg residents without electricity - Some residents of South Africa's biggest city left without electricity after ransomware hits city power provider. https://www.zdnet.com/article/ransomware-incident-leaves-some-johannesburg-residents-without-electricity/

Johannesburg’s power company hit by ransomware attack - The Johannesburg power company City Power was hit with a ransomware attack on July 25 which compromised its databases, applications and networks. https://www.scmagazine.com/home/security-news/ransomware/johannesburgs-power-company-hit-by-ransomware-attack/

Brazilian President Bolsonaro’s cellphones targeted in cyberattacks - The Brazilian Justice Ministry announced hackers targeted cell phones used by Brazilian President Jair Bolsonaro. https://www.scmagazine.com/home/security-news/government-and-defense/the-brazilian-justice-ministry-announced-hackers-targeted-cell-phones-used-by-brazilian-president-jair-bolsonaro/

Capital One hacker who stole personal info on 100M arrested - The FBI arrested a former software engineer from Seattle on charges of computer fraud and abuse after she accessed Capital One Financial Corp. data through a misconfigured web application firewall and stole Social Security numbers, names, birth dates, bank account numbers and other personal information on more than 100 million people. https://www.scmagazine.com/home/security-news/data-breach/capital-one-hacker-who-stole-personal-info-on-100m-arrested/

Personal info on 2,500 LAPD members, 17.5K applicants stolen - A hacker contacted the Los Angeles Information Technology Agency last week and claiming to have stolen personal information of 2,500 members of the LAPD and 17,500 applicants to the police force. https://www.scmagazine.com/home/security-news/data-breach/personal-info-on-2500-lapd-members-17-5k-applicants-stolen/

Cyberattack strikes Watertown schools - The Watertown (New York) city school district is the latest to be hit with a cyberattack. https://www.scmagazine.com/home/security-news/cyberattack/cyberattack-strikes-watertown-schools/

Sephora reports data breach, but few details - High-end beauty product supply retailer Sephora is reporting a data breach affecting its customers in the South Pacific and Southeast Asia. https://www.scmagazine.com/home/security-news/data-breach/sephora-reports-data-breach-but-few-details/

Ransomware Attack Impacts 522,000 Patients in Puerto Rico - A Puerto Rico-based medical center and a related women and children's hospital are victims of a recent ransomware attack impacting the data of more than 522,000 individuals. http://www.govinfosecurity.com/ransomware-attack-impacts-522000-patients-in-puerto-rico-a-12848

Some Deutsche Bank Employees Kept Email Access After Being Fired - Some former Deutsche Bank AG employees were able to access the bank’s email system for weeks after they were fired when the firm exited its equities trading business. https://www.bloomberg.com/news/articles/2019-07-29/some-deutsche-bank-employees-kept-email-access-after-being-fired

LAPD Data Breach Exposes Personal Info of Roughly 2.5K Officers - The Los Angeles Police Department has suffered a data breach that has reportedly exposed the names, email addresses, passwords, and birth dates for police officers and applicants. https://www.bleepingcomputer.com/news/security/lapd-data-breach-exposes-personal-info-of-roughly-25k-officers/

Cyberattack forces Houston County schools to postpone opening day - Several thousand school children in Alabama had their summer vacation extended by two weeks as the Houston County School District was forced for the second time to delay opening day due to a cyberattack. https://www.scmagazine.com/home/security-news/malware/cyberattack-forces-houston-county-schools-to-postpone-opening-day/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
   
   Sound Practices for Managing Outsourced E-Banking Systems and Services (Part 1 of 3)
   
   1. Banks should adopt appropriate processes for evaluating decisions to outsource e-banking systems or services.
   
   a)  Bank management should clearly identify the strategic purposes, benefits and costs associated with entering into outsourcing arrangements for e-banking with third parties.
   b)  The decision to outsource a key e-banking function or service should be consistent with the bank's business strategies, be based on a clearly defined business need, and recognize the specific risks that outsourcing entails.
   c)  All affected areas of the bank need to understand how the service provider(s) will support the bank's e-banking strategy and fit into its operating structure.
   
   2. Banks should conduct appropriate risk analysis and due diligence prior to selecting an e-banking service provider and at appropriate intervals thereafter.
   
   a)  Banks should consider developing processes for soliciting proposals from several e-banking service providers and criteria for choosing among the various proposals.
   b)  Once a potential service provider has been identified, the bank should conduct an appropriate due diligence review, including a risk analysis of the service provider's financial strength, reputation, risk management policies and controls, and ability to fulfill its obligations.
   c)  Thereafter, banks should regularly monitor and, as appropriate, conduct due diligence reviews of the ability of the service provider to fulfill its service and associated risk management obligations throughout the duration of the contract.
   d)  Banks need to ensure that adequate resources are committed to overseeing outsourcing arrangements supporting e-banking.
   e)  Responsibilities for overseeing e-banking outsourcing arrangements should be clearly assigned.
   f)  An appropriate exit strategy for the bank to manage risks should it need to terminate the outsourcing relationship.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  SECURITY CONTROLS - IMPLEMENTATION
  
  PHYSICAL SECURITY IN DISTRIBUTED IS ENVIRONMENTS (Part 1 of 2)
  
  Hardware and software located in a user department are often less secure than that located in a computer room. Distributed hardware and software environments (e.g., local area networks or LANs) that offer a full range of applications for small financial institutions as well as larger organizations are commonly housed throughout the organization, without special environmental controls or raised flooring. In such situations, physical security precautions are often less sophisticated than those found in large data centers, and overall building security becomes more important. Internal control procedures are necessary for all hardware and software deployed in distributed, and less secure, environments. The level of security surrounding any IS hardware and software should depend on the sensitivity of the data that can be accessed, the significance of applications processed, the cost of the equipment, and the availability of backup equipment.
  
  Because of their portability and location in distributed environments, PCs often are prime targets for theft and misuse. The location of PCs and the sensitivity of the data and systems they access determine the extent of physical security required. For PCs in unrestricted areas such as a branch lobby, a counter or divider may provide the only barrier to public access. In these cases, institutions should consider securing PCs to workstations, locking or removing disk drives, and using screensaver passwords or automatic timeouts. Employees also should have only the access to PCs and data they need to perform their job. The sensitivity of the data processed or accessed by the computer usually dictates the level of control required. The effectiveness of security measures depends on employee awareness and enforcement of these controls.
  
  An advantage of PCs is that they can operate in an office environment, providing flexible and informal operations. However, as with larger systems, PCs are sensitive to environmental factors such as smoke, dust, heat, humidity, food particles, and liquids. Because they are not usually located within a secure area, policies should be adapted to provide protection from ordinary contaminants.
  
  Other environmental problems to guard against include electrical power surges and static electricity. The electrical power supply in an office environment is sufficient for a PC's requirements. However, periodic fluctuations in power (surges) can cause equipment damage or loss of data. PCs in environments that generate static electricity are susceptible to static electrical discharges that can cause damage to PC components or memory.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.4.4 Protection Against Disclosure or Brokerage of Information

HGA's protection against information disclosure is based on a need-to-know policy and on personnel hiring and screening practices. The need-to-know policy states that time and attendance information should be made accessible only to HGA employees and contractors whose assigned professional responsibilities require it. Such information must be protected against access from all other individuals, including other HGA employees. Appropriate hiring and screening practices can lessen the risk that an untrustworthy individual will be assigned such responsibilities.

The need-to-know policy is supported by a collection of physical, procedural, and automated safeguards, including the following: