FYI - Lack of cyber investment could spell trouble for smart cities: report - A lack of investment in cybersecurity protections could imperil the future of smart cities and the Internet of Things devices on which they run, a new report from ABI Research warns. https://www.scmagazine.com/home/security-news/lack-of-cyber-investment-could-spell-trouble-for-smart-cities-report/

Nowhere to turn for middle market companies decimated by cybercrime - Middle-market companies are facing the bleak reality that they must increasingly combat cyber threats on their own – with little help and fewer resources than their larger counterparts. https://www.scmagazine.com/home/opinion/executive-insight/nowhere-to-turn-for-middle-market-companies-decimated-by-cybercrime/

While one Texas county shook off ransomware, small cities took full punch - Lubbock County managed to isolate the attack quickly. Others, not so much. Few details have emerged about the coordinated ransomware attack that struck 22 local governments in Texas last week. But five local governments affected by the attack have been identified. https://arstechnica.com/information-technology/2019/08/while-one-texas-county-shook-off-ransomware-small-cities-took-full-punch/

When Ransomware Cripples a City, Who’s to Blame? This I.T. Chief Is Fighting Back - The former information technology director of Lake City, the northern Florida city that was forced to pay out nearly half a million dollars after a ransomware attack this summer, was blamed for the breach, and for the long time it took to recover. https://www.nytimes.com/2019/08/22/us/florida-ransomware-hacking-it.html

Rockville Center School District pays $88,000 ransom - files that had been encrypted by Ryuk ransomware. http://www.scmagazine.com/home/security-news/ransomware/rockville-center-school-district-pays-100000-ransom/

Seven best practices for an effective phishing simulation program - You are well aware of the risks you face as a security professional—after all, they’re numerous, constantly evolving and ever present. https://www.scmagazine.com/home/opinion/executive-insight/seven-best-practices-for-an-effective-phishing-simulation-program/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - MoviePass database exposes 161 million records - An exposed database on a MoviePass subdomain housing 161 million records was left unsecured and exposed credit card and customer card information on at least 60,000 of the ticket service’s customers. https://www.scmagazine.com/home/security-news/moviepass-database-exposes-161-million-records/

Mass. General breach exposes private info on 9,900 in research programs - A data breach in the neurology department of Massachusetts General Hospital (MGH) exposed private data, including genetic information, on 9,900 people participating in research programs, the hospital said, placing the blame on an “unauthorized third party” who gained access between June 10 and June 16. https://www.scmagazine.com/home/security-news/data-breach/mass-general-breach-exposes-private-info-on-9900-in-research-programs/

Mastercard says German Priceless Specials loyalty program breached - Mastercard Inc. has confirmed its German loyalty program partner Priceless Specials has been breached, exposing information from the accounts of 90,000 consumer customers. https://www.scmagazine.com/home/security-news/mastercard-says-german-priceless-specials-loyalty-program-breached/

Rockville Center School District pays $88,000 ransom - The Rockville Center, N.Y. School District paid an $88,000 ransom to regain access to files that had been encrypted by Ryuk ransomware. https://www.scmagazine.com/home/security-news/ransomware/rockville-center-school-district-pays-100000-ransom/

Data breach of Hostinger exposes 14 million users - Web hosting provider and Internet domain registrar Hostinger International, Ltd. has disclosed that an unauthorized third party breached its internal system API last Friday and gained access to data belonging to roughly 14 million users. https://www.scmagazine.com/home/security-news/data-breach/data-breach-of-hostinger-exposes-14-million-users/

Mastercard says German Priceless Specials loyalty program breached - Mastercard Inc. has confirmed its German loyalty program partner Priceless Specials has been breached, exposing information from the accounts of 90,000 consumer customers. https://www.scmagazine.com/home/security-news/mastercard-says-german-priceless-specials-loyalty-program-breached/

Almost 200K affected by Presbyterian Healthcare Services data breach - Presbyterian Healthcare Services is informing 183,000 of its patients and health plan members that their PII was compromised after an employee fell victim to a phishing scam. https://www.scmagazine.com/home/security-news/data-breach/almost-200k-affected-by-presbyterian-healthcare-services-data-breach/

Breach exposes data associated with customers of Imperva’s Cloud WAF product - Cybersecurity company Imperva today disclosed a data breach that impacts certain customers of its Cloud Web Application Firewall (WAF) product who had accounts through Sept. 15, 2017. https://www.scmagazine.com/home/security-news/data-breach/breach-exposes-data-associated-with-customers-of-impervas-cloud-waf-product/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
  
  Sound Audit Trail Practices for E-Banking Systems
  
  1. Sufficient logs should be maintained for all e-banking transactions to help establish a clear audit trail and assist in dispute resolution.
  
  2. E-banking systems should be designed and installed to capture and maintain forensic evidence in a manner that maintains control over the evidence, and prevents tampering and the collection of false evidence.
  
  3. In instances where processing systems and related audit trails are the responsibility of a third-party service provider:
  
  a)   The bank should ensure that it has access to relevant audit trails maintained by the service provider.
  
  b)   Audit trails maintained by the service provider meet the bank's standards.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
  
  ENCRYPTION KEY MANAGEMENT
  
  Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address
  
  ! Generating keys for different cryptographic systems and different applications;
  ! Generating and obtaining public keys;
  ! Distributing keys to intended users, including how keys should be activated when received;
  ! Storing keys, including how authorized users obtain access to keys;
  ! Changing or updating keys including rules on when keys should be changed and how this will be done;
  ! Dealing with compromised keys;
  ! Revoking keys and specifying how keys should be withdrawn or deactivated;
  ! Recovering keys that are lost or corrupted as part of business continuity management;
  ! Archiving keys;
  ! Destroying keys;
  ! Logging the auditing of key management - related activities; and
  ! Instituting defined activation and deactivation dates, limiting the usage period of keys.
  
  Secure key management systems are characterized by the following precautions.
  
  ! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
  ! No key ever appears unencrypted.
  ! Keys are randomly chosen from the entire key space, preferably by hardware.
  ! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
  ! All patterns in clear text are disguised before encrypting.
  ! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
  ! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
  ! Keys that are transmitted are sent securely to well - authenticated parties.
  ! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.5.2 Vulnerabilities Related to Payroll Errors

HGA's management has established procedures for ensuring the timely submission and interagency coordination of paperwork associated with personnel status changes. However, an unacceptably large number of troublesome payroll errors during the past several years has been traced to the late submission of personnel paperwork. The risk assessment documented the adequacy of HGA's safeguards, but criticized the managers for not providing sufficient incentives for compliance.

20.5.3 Vulnerabilities Related to Continuity of Operations

COG Contingency Planning

The risk assessment commended HGA for many aspects of COG's contingency plan, but pointed out that many COG personnel were completely unaware of the responsibilities the plan assigned to them. The assessment also noted that although HGA's policies require annual testing of contingency plans, the capability to resume HGA's computer-processing activities at another cooperating agency has never been verified and may turn out to be illusory.

Division Contingency Planning

The risk assessment reviewed a number of the application-oriented contingency plans developed by HGA's divisions (including plans related to time and attendance). Most of the plans were cursory and attempted to delegate nearly all contingency planning responsibility to COG. The assessment criticized several of these plans for failing to address potential disruptions caused by lack of access to (1) computer resources not managed by COG and (2) nonsystem resources, such as buildings, phones, and other facilities. In particular, the contingency plan encompassing the time and attendance application was criticized for not addressing disruptions caused by WAN and mainframe outages.

Virus Prevention

The risk assessment found HGA's virus-prevention policy and procedures to be sound, but noted that there was little evidence that they were being followed. In particular, no COG personnel interviewed had ever run a virus scanner on a PC on a routine basis, though several had run them during publicized virus scares. The assessment cited this as a significant risk item.

The risk assessment concluded that HGA's safeguards against accidental corruption and loss of time and attendance data were adequate, but that safeguards for some other kinds of data were not. The assessment included an informal audit of a dozen randomly chosen PCs and PC users in the agency. It concluded that many PC users store significant data on their PC's hard disks, but do not back them up. Based on anecdotes, the assessment's authors stated that there appear to have been many past incidents of loss of information stored on PC hard disks and predicted that such losses would continue.