FYI - 100% of breached PCI certified companies failed PCI compliance audit - PCI DSS compliance doesn't guarantee security, but half of PCI certified companies aren't compliant which does indicate vulnerability to cyber-attack. "It's not a project, it's a programme - something you need to maintain." https://www.scmagazine.com/100-of-breached-pci-certified-companies-failed-pci-compliance-audit/article/685541/

Judge says Yahoo must meet users in court after breaches - In a blow to new parent Verizon Communications, Inc., Yahoo will have to face the music in court for a series of data breaches that affected more than one billion users, a district judge in California ruled Wednesday. https://www.scmagazine.com/judge-says-yahoo-must-meet-users-in-court-after-breaches/article/686257/

Navy admiral says no evidence of cyberattack in ship collisions - An investigation into the separate recent collisions between two Navy warships from the Seventh Fleet and commercial vessels has so far shown no evidence of cyberattacks, according to Admiral John Richardson, chief of naval operations. https://www.scmagazine.com/navy-admiral-says-no-evidence-of-cyberattack-in-ship-collisions/article/685845/

China's cybersecurity law grants government 'unprecedented' control over foreign tech - Relinquish your IP or lose one of the world's largest markets - China's new cybersecurity law will enable its government to discover potential security vulnerabilities of any company doing business in the country, threat intelligence firm Recorded Future warns. http://www.theregister.co.uk/2017/09/01/china_cybersecurity_law_analysis/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WikiLeks homepage defaced as it dumps more CIA hacking tools - The Central Intelligence Agency can take some small comfort that as WikiLeaks was preparing for its latest dump of the spy agency's Vault hacking tools, a group of hackers was busy defacing WikiLeaks' homepage. https://www.scmagazine.com/wikileaks-homepage-defaced-as-it-dumps-more-cia-hacking-tools/article/685729/

Kaiser Permanente members notified of Riverside area breach - Kaiser Permanente is notifying members in Riverside and the surrounding area that their information was compromised is a recent data breach. https://www.scmagazine.com/kaiser-permanente-members-notified-of-riverside-area-breach/article/685742/

Instagram API hacked to access verified accounts of Selena Gomez, others - Just two days after Selena Gomez's Instagram account was hacked to post leaked nude photos of Justin Bieber, the social media company confirmed it was hit by a cyberattack targeting several high profile celebrities. https://www.scmagazine.com/instagram-admits-api-was-hacked-to-compromise-celebrity-accounts/article/685733/

Silver Cross Hospital vendor exposes information on 9,000 patients - Almost 9,000 patients of Silver Cross hospital, outside of Chicago, possibly had their data exposed due to an error made by a third-party vendor. https://www.scmagazine.com/silver-cross-hospital-vendor-exposes-information-on-9000-patients/article/685543/ 

19,000 Medical Oncology Hematology Consultants, PA records exposed in ransomware attack - More than 19,000 patient records were exposed during a ransomware attack on Medical Oncology Hematology Consultants, PA that took place in June. https://www.scmagazine.com/19000-medical-oncology-hematology-consultants-pa-records-exposed-in-ransomware-attack/article/686255/

Some U.K. pharma firms decline to report data breaches, survey - A survey of more than 400 U.K. IT professionals in the U.K. pharmaceutical business found many do not report data breaches, in many cases because they do not know how. https://www.scmagazine.com/some-uk-pharma-firms-decline-to-report-data-breaches-survey/article/685861/

Leaky S3 bucket sloshes deets of thousands with US security clearance - Bunch of resumés citing secret government work exposed - Thousands of files containing the personal information of US citizens with classified security clearance have been exposed by an unsecured Amazon server. http://www.theregister.co.uk/2017/09/04/us_security_clearance_aws_breach/

Data breach exposes about 4 million Time Warner customer records - Time Warner Cable, now known as Spectrum, became the latest company to realize exactly how vulnerable its data is when a third-party vendor entrusted with its safety made an error exposing millions of records. https://www.scmagazine.com/data-breach-exposes-about-4-million-time-warner-customer-records/article/686592/

MLB: Red Sox used Apple watches to steal, transmit pitching signs - Major League Baseball investigators have found that the Boston Red Sox used Apple watches to steal hand signals from competitors' catchers and pass them on to their own players, according to a report in the New York Times. https://www.scmagazine.com/mlb-red-sox-used-apple-watches-to-steal-transmit-pitching-signs/article/686757/

Nearly 29M records stolen in breach of Latin American social network Taringa! - Almost 29 million user accounts registered with Taringa!, a social network for Latin American and Spanish-speaking users that draws comparisons to Facebook and Reddit, was stolen last month in a major data breach. https://www.scmagazine.com/nearly-29m-records-stolen-in-breach-of-latin-american-social-network-taringa/article/686421/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)
  
  PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response
  
  To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures.  These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.
  
  Banks can take the following steps to disable a spoofed Web site and recover customer information.  Some of these steps will require the assistance of legal counsel.
  
  *  Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
  *  Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
  *  Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
  *  Work with law enforcement; and
  *  Use other existing mechanisms to report suspected spoofing activity.
  
  The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:
  
  *  Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
  *  If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon.  This process allows banks to take action against domain name registrars to stop a spoofing incident.  However, banks must bear in mind that the UDRP can be relatively time-consuming.  For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
  *  Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d).  Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 INSURANCE  (Part 1 of 2)
 
 Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:
 
 ! Vandalism of financial institution Web sites,
 ! Denial - of - service attacks,
 ! Loss of income,
 ! Computer extortion associated with threats of attack or disclosure of data,
 ! Theft of confidential information,
 ! Privacy violations,
 ! Litigation (breach of contract),
 ! Destruction or manipulation of data (including viruses),
 ! Fraudulent electronic signatures on loan agreements,
 ! Fraudulent instructions through e - mail,
 ! Third - party risk from companies responsible for security of financial institution systems or information,
 ! Insiders who exceed system authorization, and
 ! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.
 
 Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.
 
 When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 12 - COMPUTER SECURITY INCIDENT HANDLING
 
 12.2.1 Defining the Constituency to Be Served
 
 The constituency includes computer users and program managers. Like any other customer-vendor relationship, the constituency will tend to take advantage of the capability if the services rendered are valuable.
 
 The constituency is not always the entire organization. For example, an organization may use several types of computers and networks but may decide that its incident handling capability is cost-justified only for its personal computer users. In doing so, the organization may have determined that computer viruses pose a much larger risk than other malicious technical threats on other platforms. Or, a large organization composed of several sites may decide that current computer security efforts at some sites do not require an incident handling capability, whereas other sites do (perhaps because of the criticality of processing).
 
 The focus of a computer security incident handling capability may be external as well as internal. An incident that affects an organization may also affect its trading partners, contractors, or clients. In addition, an organization's computer security incident handling capability may be able to help other organizations and, therefore, help protect the community as a whole.
 
 12.2.2 Educated Constituency
 
 Users need to know about, accept, and trust the incident handling capability or it will not be used. Through training and awareness programs, users can become knowledgeable about the existence of the capability and how to recognize and report incidents. Users trust in the value of the service will build with reliable performance.
 
 12.2.3 Centralized Reporting and Communications
 
 Successful incident handling requires that users be able to report incidents to the incident handling team in a convenient, straightforward fashion; this is referred to as centralized reporting. A successful incident handling capability depends on timely reporting. If it is difficult or time consuming to report incidents, the incident handling capability may not be fully used. Usually, some form of a hotline, backed up by pagers, works well.
 
 Centralized communications is very useful for accessing or distributing information relevant to the incident handling effort. For example, if users are linked together via a network, the incident handling capability can then use the network to send out timely announcements and other information. Users can take advantage of the network to retrieve security information stored on servers and communicate with the incident response team via e-mail.
 
 Managers need to know details about incidents, including who discovered them and how, so that they can prevent similar incidents in the future. However users will not be forthcoming if they fear reprisal or that they will become scapegoats. Organizations may need to offer incentives to employees for reporting incidents and offer guarantees against reprisal or other adverse actions. It may also be useful to consider anonymous reporting.