FYI - More than 80% of healthcare IT leaders say their systems have been compromised - Eighty-one percent of healthcare executives say their organizations have been compromised by at least one malware, botnet or other kind of cyberattack during the past two years, according to a survey. http://www.computerworld.com/article/2975988/healthcare-it/more-than-80-of-healthcare-it-leaders-say-their-systems-have-been-compromised.html

FYI - Pentagon Unveils New Rules Requiring Contractors to Disclose Data Breaches - New sweeping defense contractor rules on hack notifications take effect today, adding to a flurry of Pentagon IT security policies issued in recent years. http://www.nextgov.com/cybersecurity/2015/08/pentagon-tries-harmonize-contractor-data-breach-rules/119498/

FYI - U.S. agency warns electric utilities to bolster authentication - U.S. electric utilities should pay close attention to their authentication systems and access controls to reduce data breaches, a government agency says in a new cybersecurity guide. http://www.computerworld.com/article/2975934/security/us-agency-warns-electric-utilities-to-bolster-authentication.html

FYI - Hacking number one consumer fear, others not worried - A study found some consumers are tremendously worried about hacking and malware, while almost half are not concerned at all and others simply believe they are not of interest to cybercriminals. http://www.scmagazine.com/report-finds-some-consumers-believe-not-target-of-cybercriminals/article/435521/

FYI - Cyberarmies rising? - With government officials and executives in the U.S. reeling from sophisticated hacks traced to China and other state-backed entities, American spies and soldiers are sharpening the ongoing debate over if – and when – an online action. http://www.scmagazine.com/cyberarmies-rising/article/436067/

FYI - Barclays first bank to accept bitcoin - After experimenting with bitcoin in its London “labs,” Barclays is set to become the first major bank to accept the digital currency. http://www.scmagazine.com/barclays-testing-bitcoin-for-charitable-donations/article/435926/

FYI - Sony Pictures reaches settlement with ex-employees over hacking - The hack revealed the inner workings of the studio, as well as the personal information of more than 47,000 celebrities, freelancers, and current and former Sony employees. http://www.cnet.com/news/sony-pictures-reaches-settlement-with-ex-employees-over-hacking/

FYI - Hackers could use baby monitors to watch your kids too, security experts warn - Some video-streaming baby monitors aren't safe from hackers, a security researcher finds, and it doesn't matter how much you paid either. Experts say this is part of a trend indicating poor security in Net-connected household devices. http://www.cnet.com/news/several-baby-monitors-easily-hacked-security-researcher-finds/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - GitHub combats DDoS cyberattack - The code repository has mitigated a new DDoS attack following a crippling salvo experienced in March. http://www.zdnet.com/article/github-combats-ddos-cyberattack/

FYI - More than 10,000 Utah Food Bank donors notified of breach - Utah Food Bank is notifying more than 10,000 individuals that their personal information – including payment card data – may have been exposed during a possible data security incident involving the donation webpage. http://www.scmagazine.com/more-than-10000-utah-food-bank-donors-notified-of-breach/article/435812/

FYI - New 'Pawn Storm' attack spoofs EFF website - A newly registered domain disguises itself as an official Electronic Frontier Foundation (EFF) website and is being used in various spear phishing attacks. http://www.scmagazine.com/operation-pawn-storm-uses-spear-phishing-attack/article/435766/

FYI - London clinic leaks status of 780 patients in newsletter - A London sexual health clinic accidentally sent status, names, and email addresses of 780 patients in a newsletter email Tuesday. http://www.scmagazine.com/london-sexual-health-clinic-compromises-hiv-status-of-780-patients-in-newsletter/article/436507/

FYI - Malware on Maine hotel computer targets guest payment cards - Olympia Hotel Management, which manages Maine-based Brunswick Hotel & Tavern, is notifying an undisclosed number of guests that malware was discovered on the hotel's computer systems and payment card information could be at risk. http://www.scmagazine.com/malware-on-maine-hotel-computer-targets-guest-payment-cards/article/435900/

FYI - ReverbNation notifies users of breach, recommends changing passwords - ReverbNation – an online platform that currently assists more than three million musicians in building their careers – experienced a breach in 2014, and is now notifying an undisclosed number of users and asking them to change their passwords. http://www.scmagazine.com/2014-breach-prompts-reverbnation-to-notify-customers/article/436757/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services
 
 Due Diligence in Selecting a Service Provider - Contract Issues
 
 Ownership and License
 
 The contract should address ownership and allowable use by the service provider of the institution’s data, equipment/hardware, system documentation, system and application software, and other intellectual property rights. Other intellectual property rights may include the institution’s name and logo; its trademark or copyrighted material; domain names; web sites designs; and other work products developed by the service provider for the institution. The contract should not contain unnecessary limitations on the return of items owned by the institution. Institutions that purchase software should consider establishing escrow agreements. These escrow agreements may provide for the following: institution access to source programs under certain conditions (e.g., insolvency of the vendor), documentation of programming and systems, and verification of updated source code.
 
 Duration
 
 Institutions should consider the type of technology and current state of the industry when negotiating the appropriate length of the contract and its renewal periods. While there can be benefits to long-term technology contracts, certain technologies may be subject to rapid change and a shorter-term contract may prove beneficial. Similarly, institutions should consider the appropriate length of time required to notify the service provider of the institutions’ intent not to renew the contract prior to expiration. Institutions should consider coordinating the expiration dates of contracts for inter-related services (e.g., web site, telecommunications, programming, network support) so that they coincide, where practical. Such coordination can minimize the risk of terminating a contract early and incurring penalties as a result of necessary termination of another related service contract.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Data Transmission and Types of Firewalls 
 
 Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration. 
 
 There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.
 
 Implementation 
 
 When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY -

We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 - ASSESSING AND MITIGATING THE RISKS TO A HYPOTHETICAL COMPUTER SYSTEM (HGA)

20.6.5 Mitigating Network-Related Threats

The assessment recommended that HGA:

As with previous risk assessment recommendations, HGA's management tasked COG to analyze the costs, benefits, and impacts of addressing the vulnerabilities identified in the risk assessment. HGA eventually adopted some of the risk assessment's recommendations, while declining others. In addition, HGA decided that its policy on handling time and attendance information needed to be clarified, strengthened, and elaborated, with the belief that implementing such a policy would help reduce risks of Internet and dial-in eavesdropping. Thus, HGA developed and issued a revised policy, stating that users are individually responsible for ensuring that they do not transmit disclosure-sensitive information outside of HGA's facilities via e-mail or other means. It also prohibited them from examining or transmitting e-mail containing such information during dial-in sessions and developed and promulgated penalties for noncompliance.