FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Government budget agency drafts contractor cybersecurity guidelines - The Office of Management and Budget (OMB) proposed new cybersecurity guidelines earlier this week to help government agencies draft contracts with third-party groups. http://www.scmagazine.com/omb-drafts-cybersecurity-proposal-for-contractors/article/432429/

FYI - China to plant Internet police in top online firms - China is also considering legislation that will give the government more control over the Internet - China's control over the Internet is set to expand. In a bid to better police local websites, the country's security forces are establishing offices at the biggest online companies in the country. http://www.computerworld.com/article/2956681/security/china-to-plant-internet-police-in-top-online-firms.html

FYI - Tutor who helped students cheat by keylogging teachers gets 1 year in prison - 29-year-old tutor was charged with 20 counts of computer access and fraud. On Tuesday, a Southern California tutor pleaded guilty to computer fraud and burglary for placing keylogging software on teachers' computers to steal login credentials which he used to change students' grades and look at upcoming testing material. The sentenced was to one year in prison and five years on probation. http://arstechnica.com/tech-policy/2015/08/tutor-who-helped-students-cheat-by-keylogging-teachers-gets-1-year-in-prison/

FYI - Internet-Connected Gas Pumps Are a Lure for Hackers - If attackers could cause a gas station’s tanks to overflow or prevent leak alarms from sounding, it could have devastating consequences—particularly if they struck multiple pumps in a region at once. http://www.wired.com/2015/08/internet-connected-gas-pumps-lure-hackers/

FYI - Technology firm loses nearly $47 million in digital transfer fraud - Ubiquiti Networks, a wireless networking products provider, lost nearly $47 million in cyber fraud involving phony transfer requests earlier this year. http://www.scmagazine.com/ubiquiti-networks-loses-millions-in-cyber-scam/article/431755/

FYI - Windows 10 shares user data with Microsoft, even after disabling settings - While Microsoft offers users a free upgrade to its Windows 10 operating system, its flashy new offerings come packaged with something more sinister: settings that have privacy advocates concerned. http://www.scmagazine.com/microsofts-windows-10-worries-privacy-advocates/article/432657/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - American Airlines, Sabre Said to Be Hit in China-Tied Hacks - A group of China-linked hackers that has mowed through the databanks of major American health insurers and stolen personnel records of U.S. military and intelligence agencies has struck at the heart of the nation’s air-travel system, say people familiar with investigations of the attacks. http://www.bloomberg.com/news/articles/2015-08-07/american-airlines-sabre-said-to-be-hit-in-hacks-backed-by-china

FYI - American Airlines denies hack, but reinforces security efforts - American Airlines is redoubling its efforts to ensure its computer systems are secure in light of an apparent security incident at its one-time subsidiary Sabre. http://www.scmagazine.com/amerian-denies-cyber-attack/article/431428/

FYI - Pentagon email hacked, Russia already blamed - Message system for Joint Chiefs of Staff has been down for 11 days and counting - A chunk of the US Department of Defense's email system has been down for 11 days, following what appears to have been a successful attempt to hack it. http://www.theregister.co.uk/2015/08/06/pentagon_email_hacked/

FYI - Ransomware attack strikes Dayton, Ohio-area planning commission - The Miami Valley Regional Planning Commission (MVRPC) just reported that last month it was the victim of a ransomware attack that impacted about 15,000 files. http://www.scmagazine.com/ransomware-attack-in-dayton-ohio/article/431410/

FYI - China Read Emails of Top U.S. Officials - China's cyber spies have accessed the private emails of "many" top Obama administration officials, according to a senior U.S. intelligence official and a top secret document obtained by NBC News, and have been doing so since at least April 2010. http://www.nbcnews.com/news/us-news/china-read-emails-top-us-officials-n406046

FYI - HHS hacked five times in three years - Hackers have breached at least five divisions of the Department of Health & Human Services (HHS) over the last three years. http://thehill.com/policy/cybersecurity/250543-hhs-hacked-five-times-in-three-years

FYI - Joint Chiefs of Staff's email system back online after phishing hack - The U.S. Joint Chiefs of Staff's unclassified email system was brought back online Monday and the Department of Defense (DOD) confirmed that the system had been swept of malicious software. http://www.scmagazine.com/pentagon-email-back-after-hack/article/432027/

FYI - IRS agent misplaces flash drive containing data on nearly 12,000 Katy ISD employees - Katy Independent School District (ISD) in Texas is notifying nearly 12,000 current and former employees that an Internal Revenue Service (IRS) agent misplaced a portable flash drive containing their personal information while conducting a random audit under the direction of the IRS. http://www.scmagazine.com/irs-agent-misplaces-flash-drive-containing-data-on-nearly-12000-katy-isd-employees/article/432388/

FYI - Researchers hack a Corvette's brakes via insurance black box - Researchers exploit a Web-connected insurance monitor to hijack a car using text messages. The list of ways to electronically hijack cars is growing thanks to devices used to monitor drivers' roadway behavior. http://www.cnet.com/news/researchers-hack-a-corvettes-brakes-via-insurance-black-box/

FYI - SterlingBackcheck laptop stolen, contained data on about 100K individuals - SterlingBackcheck, a New York-based background screening services firm, is notifying about 100,000 individuals that a password protected, unencrypted laptop containing their personal information was stolen from an employee's vehicle. http://www.scmagazine.com/sterlingbackcheck-laptop-stolen-contained-data-on-about-100k-individuals/article/432516/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Contract Issues

Security and Confidentiality

The contract should address the service provider’s responsibility for security and confidentiality of the institution’s resources (e.g., information, hardware). The agreement should prohibit the service provider and its agents from using or disclosing the institution’s information, except as necessary to or consistent with providing the contracted services, to protect against unauthorized use (e.g., disclosure of information to institution competitors). If the service provider receives
nonpublic personal information regarding the institution’s customers, the institution should notify the service provider to assess the applicability of the privacy regulations. Institutions should require the service provider to fully disclose breaches in security resulting in unauthorized intrusions into the service provider that may materially affect the institution or its customers. The service provider should report to the institution when material intrusions occur, the effect on the institution, and corrective action to respond to the intrusion.

Controls

Consideration should be given to contract provisions addressing control over operations such as:

• Internal controls to be maintained by the service provider.
• Compliance with applicable regulatory requirements.
• Records to be maintained by the service provider.
• Access to the records by the institution.
• Notification by the service provider to the institution and the institution’s approval rights
regarding material changes to services, systems, controls, key project personnel allocated to
the institution, and new service locations.
• Setting and monitoring of parameters relating to any financial functions, such as payments
processing and any extensions of credit on behalf of the institution.
• Insurance coverage to be maintained by the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 SECURITY MEASURES
 
 Certificate Authorities and Digital Certificates 
 
 Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management.  A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted.  Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand.  Digital certificates are messages that are signed with the CA's private key.  They identify the CA, the represented party, and could even include the represented party's public key. 
 
 The responsibilities of CAs and their position among emerging technologies continue to develop.  They are likely to play an important role in key management by issuing, retaining, or distributing  public/private key pairs. 
 
 Implementation 
 
 The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary.  The technologies and methods can be used individually, or in combination with one another.  Some techniques may merely encrypt data in transit from one location to another.  While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation.  Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers.  Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored. 
 
 The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized.  Care should be taken to ensure the techniques  utilized are sufficient to meet the required needs of the institution.  All of the technical and  implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.1 Mitigating Payroll Fraud Vulnerabilities

To remove the vulnerabilities related to payroll fraud, the risk assessment team recommended the use of stronger authentication mechanisms based on smart tokens to generate one-time passwords that cannot be used by an interloper for subsequent sessions. Such mechanisms would make it very difficult for outsiders (e.g., from the Internet) who penetrate systems on the WAN to use them to attack the mainframe. The authors noted, however, that the mainframe serves many different agencies, and HGA has no authority over the way the mainframe is configured and operated. Thus, the costs and procedural difficulties of implementing such controls would be substantial. The assessment team also recommended improving the server's administrative procedures and the speed with which security-related bug fixes distributed by the vendor are installed on the server.

After input from COG security specialists and application owners, HGA's managers accepted most of the risk assessment team's recommendations. They decided that since the residual risks from the falsification of time sheets were acceptably low, no changes in procedures were necessary. However, they judged the risks of payroll fraud due to the interceptability of LAN server passwords to be unacceptably high, and thus directed COG to investigate the costs and procedures associated with using one-time passwords for Time and Attendance Clerks and supervisor sessions on the server. Other users performing less sensitive tasks on the LAN would continue to use password-based authentication.

While the immaturity of the LAN server's access controls was judged a significant source of risk, COG was only able to identify one other PC LAN product that would be significantly better in this respect. Unfortunately, this product was considerably less friendly to users and application developers, and incompatible with other applications used by HGA. The negative impact of changing PC LAN products was judged too high for the potential incremental gain in security benefits. Consequently, HGA decided to accept the risks accompanying use of the current product, but directed COG to improve its monitoring of the server's access control configuration and its responsiveness to vendor security reports and bug fixes.

HGA concurred that risks of fraud due to unauthorized modification of time and attendance data at or in transit to the mainframe should not be accepted unless no practical solutions could be identified. After discussions with the mainframe's owning agency, HGA concluded that the owning agency was unlikely to adopt the advanced authentication techniques advocated in the risk assessment. COG, however, proposed an alternative approach that did not require a major resource commitment on the part of the mainframe owner.

The alternative approach would employ digital signatures based on public key cryptographic techniques to detect unauthorized modification of time and attendance data. The data would be digitally signed by the supervisor using a private key prior to transmission to the mainframe. When the payroll application program was run on the mainframe, it would use the corresponding public key to validate the correspondence between the time and attendance data and the signature. Any modification of the data during transmission over the WAN or while in temporary storage at the mainframe would result in a mismatch between the signature and the data. If the payroll application detected a mismatch, it would reject the data; HGA personnel would then be notified and asked to review, sign, and send the data again. If the data and signature matched, the payroll application would process the time and attendance data normally.

HGA's decision to use advanced authentication for time and attendance Clerks and Supervisors can be combined with digital signatures by using smart tokens. Smart tokens are programmable devices, so they can be loaded with private keys and instructions for computing digital signatures without burdening the user. When supervisors approve a batch of time and attendance data, the time and attendance application on the server would instruct the supervisor to insert their token in the token reader/writer device attached to the supervisors' PC. The application would then send a special "hash" (summary) of the time and attendance data to the token via the PC. The token would generate a digital signature using its embedded secret key, and then transfer the signature back to the server, again via the PC. The time and attendance application running on the server would append the signature to the data before sending the data to the mainframe and, ultimately, the payroll application.

Although this approach did not address the broader problems posed by the mainframe's I&A vulnerabilities, it does provide a reliable means of detecting time and attendance data tampering. In addition, it protects against bogus time and attendance submissions from systems connected to the WAN because individuals who lack a time and attendance supervisor's smart token will be unable to generate valid signatures. (Note, however, that the use of digital signatures does require increased administration, particularly in the area of key management.) In summary, digital signatures mitigate risks from a number of different kinds of threats.

HGA's management concluded that digitally signing time and attendance data was a practical, cost-effective way of mitigating risks, and directed COG to pursue its implementation. (They also noted that it would be useful as the agency moved to use of digital signatures in other applications.) This is an example of developing and providing a solution in an environment over which no single entity has overall authority.

20.6.2 Mitigating Payroll Error Vulnerabilities

After reviewing the risk assessment, HGA's management concluded that the agency's current safeguards against payroll errors and against accidental corruption and loss of time and attendance data were adequate. However, the managers also concurred with the risk assessment's conclusions about the necessity for establishing incentives for complying (and penalties for not complying) with these safeguards. They thus tasked the Director of Personnel to ensure greater compliance with paperwork-handling procedures and to provide quarterly compliance audit reports. They noted that the digital signature mechanism HGA plans to use for fraud protection can also provide protection against payroll errors due to accidental corruption.