FYI - Military Battles to Man its Developing Cyber Force - Besieged by constant cyberattacks, the U.S. Defense Department is scrambling to assemble 133 Cyber Mission Force teams to defend military networks, protect critical U.S. infrastructure, and strike back in cyberspace when necessary. https://www.govtechworks.com/military-battles-to-man-its-growing-cyber-force/#gs.DvUUhBM

FYI - Manhattan DA opens international cyber threat sharing nonprofit - he Manhattan District Attorney’s Office is using funds from one of the largest bank settlements to found an international cybersecurity threat sharing organization, the office announced Wednesday. http://thehill.com/policy/cybersecurity/253830-manhattan-da-opens-international-cyberthreat-sharing-nonprofit

FYI - Comcast penalized for data breach - Comcast will pay to settle charges of unauthorized disclosure of names, phone numbers and addresses of an estimated 75,000 customers three years ago who paid for unlisted VoIP telephone service, according to The Wall Street Journal. http://www.scmagazine.com/comcast-penalized-for-data-breach/article/439508/

FYI - Internal employees account for 43 percent of data loss - Although a majority of data compromises come from external actors, including nation-state groups and cybercrime gangs, internal employees account for 43 percent of data loss, half of the time these leaks are accidental, a new study from Intel Security indicates. http://www.scmagazine.com/external-hackers-and-internal-employees-pose-data-breach-threat/article/439510/

FYI - Hackers, tech pros rally around teen who brought homemade clock to school - Tech companies and a group of Dallas hackers are rallying around a teenager arrested earlier in the week in Texas for bringing a homemade clock to school. http://www.scmagazine.com/zuckerberg-dallas-hackers-google-among-those-supporting-teen/article/439395/

FYI - DHS CISO wants repercussions for workers who fall for security scams - Falling for a phishing scam is embarrassing enough without having to learn it came from your boss as part of a test of your cybersecurity knowledge, but that is what Paul Beckman, chief information officer of the Department of Homeland does to his staff. http://www.scmagazine.com/dhs-ciso-wants-repercussions-for-workers-who-fall-for-security-scams/article/439962/

FYI - Most U.S. organizations cannot properly respond to a cyberattack - The vast majority U.S. organizations are not prepared to properly respond to a cyber attack, according to a new study by the Ponemon Institute. http://www.scmagazine.com/most-us-organizations-cannot-properly-respond-to-a-cyberattack/article/440113/

FYI - School board looks to protect itself with cyber liability insurance - The Dothan City, Ala., school board on Monday allocated $25,000 to purchase cyber liability insurance to cover the board in case a cyberattacker gains access to district information. http://www.scmagazine.com/school-board-looks-to-protect-itself-with-cyber-liability-insurance/article/440100/

FYI - Russian firm tasked with cracking Tor throws in towel - The company hired by the Kremlin to gather information on and crack the anonymous browser Tor is now looking to pay more than the contract's value in legal fees to back out of the agreement, according to Bloomberg. http://www.scmagazine.com/russian-firm-wants-to-back-out-of-contract-to-crack-tor/article/440393/

FYI - R.T. Jones reaches settlement with SEC in data breach case - The Securities and Exchange Commission (SEC) slapped St. Louis-based investment adviser R.T. Jones Capital Equities Management with a $75,000 penalty in a settlement over the firm's failure to establish cybersecurity policies and procedures before a breach compromised personal information of 100,000 people. http://www.scmagazine.com/sec-hits-security-adviser-with-75000-penalty-in-breach-settlement/article/440268/

FYI - Your identity is sold for $1 in the Dark Web - If you or your company is a victim of a cyberattack, where does this stolen data go, and to what purpose? http://www.cnet.com/news/the-price-of-your-identity-in-the-dark-web-no-more-than-a-dollar/

FYI - Former WH cybersecurity advisor turned security exec stresses info sharing - With the continued fallout from the Office of Personnel Management (OPM) data breaches in the backdrop, the federal government's cybersecurity posture has taken center stage punctuating the need for agencies to take clear steps toward strengthening its position, according to a former cybersecurity advisor to the White House. http://www.scmagazine.com/former-wh-cybersecurity-advisor-turned-security-exec-stresses-info-sharing/article/440546/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - American Airlines grounds flight due to computer glitch - American Airlines has grounded flights at three of its largest hubs due to a computer problem, according to the Federal Aviation Administration (FAA). http://thehill.com/policy/transportation/254058-american-airlines-grounds-flight-due-to-computer-glitch

FYI - Commack High School student management system hacked - The Commack School District in New York reported Thursday that its high school student management system was accessed by an unauthorized individual. http://www.scmagazine.com/commack-high-school-student-management-system-hacked/article/439393/

FYI - AT&T sales reps accused of scheming to unlock phones - A lawsuit alleges the former employees put malicious software on work computers so they could help untether discounted phones from AT&T contracts. http://www.cnet.com/news/at-t-sales-reps-accused-of-scheming-to-unlock-phones/

FYI - Symantec fires staff caught up in rogue Google SSL cert snafu - When your business is built on making secret numbers, don't make it look too easy - Symantec has fired some employees after Google engineers noticed rogue SSL certificates issued in the web goliath's name. http://www.theregister.co.uk/2015/09/21/symantec_fires_workers_over_rogue_certs/

FYI - CVS employee steals data on 55K Molina Healthcare members - Molina Healthcare is notifying nearly 55,000 current and former members that a former CVS employee – CVS is Molina Healthcare's over-the-counter (OTC) benefits vendor – took their personal information from CVS' computers and sent it to his personal computer. http://www.scmagazine.com/cvs-employee-steals-data-on-55k-molina-healthcare-members/article/440099/

FYI - Former Morgan Stanley adviser pleads guilty to stealing data - A former Morgan Stanley financial adviser who was fired for stealing the data of approximately 730,000 clients pleaded guilty to one count of unauthorized computer access in a federal court in New York on Monday. http://www.scmagazine.com/former-morgan-stanley-employee-fired-for-stealing-data-pleads-guilty-in-federal-court/article/440124/

FYI - OPM increases number of stolen fingerprints in data breach to 5.6 million - The number of fingerprints impacted in the second Office of Personnel Management (OPM) data breach has increased by 4.5 million. http://www.scmagazine.com/office-of-personnel-management-readjusts-victim-figures-in-data-breach/article/440219/

FYI - 3.4 million B.C., Yukon student records lost with misplaced hard drive - Authorities in British Columbia say as many as 3.4 million student education records dating back to 1986 may be breached due to a misplaced backup hard drive. http://www.scmagazine.com/34-million-bc-yukon-student-records-lost-with-misplaced-hard-drive/article/440422/

FYI - Imgur suffers DDoS attack on 4chan and 8chan servers - Imgur, the photo-sharing website, has been exploited in a distributed denial-of-service (DDoS) attack on the popular imageboards 4chan and 8chan. http://www.scmagazine.com/imgur-suffers-ddos-attack-on-4chan-and-8chan-servers/article/440522/

FYI - Uber attempting to reset stolen customer passwords - Uber is attempting to squash the use of hacked customer accounts that have most likely been sold on the dark web and are currently being used in China. http://www.scmagazine.com/uber-attempting-to-reset-stolen-customer-passwords/article/440724/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Some of the oversight activities management should consider in administering the service provider relationship are categorized and listed below. The degree of oversight activities will vary depending upon the nature of the services outsourced. Institutions should consider the extent to which the service provider conducts similar oversight activities for any of its significant supporting agents (i.e., subcontractors, support vendors, and other parties) and the extent to which the institution may need to perform oversight activities on the service provider’s significant supporting agents.

Monitor Financial Condition and Operations

• Evaluate the service provider’s financial condition periodically.
• Ensure that the service provider’s financial obligations to subcontractors are being met in a timely manner.
• Review audit reports (e.g., SAS 70 reviews, security reviews) as well as regulatory examination reports if available, and evaluate the adequacy of the service providers’ systems and controls including resource availability, security, integrity, and confidentiality.
• Follow up on any deficiencies noted in the audits and reviews of the service provider.
• Periodically review the service provider’s policies relating to internal controls, security, systems development and maintenance, and back up and contingency planning to ensure they meet the institution’s minimum guidelines, contract requirements, and are consistent with the current market and technological environment.
• Review access control reports for suspicious activity.
• Monitor changes in key service provider project personnel allocated to the institution.
• Review and monitor the service provider’s insurance policies for effective coverage.
• Perform on-site inspections in conjunction with some of the reviews performed above, where practicable and necessary.
• Sponsor coordinated audits and reviews with other client institutions.

Some services provided to insured depository institutions by service providers are examined by the FFIEC member agencies. Regulatory examination reports, which are only available to clients/customers of the service provider, may contain information regarding a service provider’s operations. However, regulatory reports are not a substitute for a financial institution’s due diligence in oversight of the service provider.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 
 
 Logical Access Controls (Part 2 of 2)
 
 Tokens
 
 Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.
 
 Smart Cards
 
 Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.
 
 Biometrics 
 
 Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Section I. Introduction & Overview
Chapter 1

INTRODUCTION - 1.3 Organization

The first section of the handbook contains background and overview material, briefly discusses of threats, and explains the roles and responsibilities of individuals and organizations involved in computer security. It explains the executive principles of computer security that are used throughout the handbook. For example, one important principle that is repeatedly stressed is that only security measures that are cost-effective should be implemented. A familiarity with the principles is fundamental to understanding the handbook's philosophical approach to the issue of security.

The next three major sections deal with security controls: Management Controls⁵(II), Operational Controls (III), and Technical Controls (IV). Most controls cross the boundaries between management, operational, and technical. Each chapter in the three sections provides a basic explanation of the control; approaches to implementing the control, some cost considerations in selecting, implementing, and using the control; and selected interdependencies that may exist with other controls. Each chapter in this portion of the handbook also provides references that may be useful in actual implementation.

!  The Management Controls section addresses security topics that can be characterized as managerial. They are techniques and concerns that are normally addressed by management in the organization's computer security program. In general, they focus on the management of the computer security program and the management of risk within the organization.

!  The Operational Controls section addresses security controls that focus on controls that are, broadly speaking, implemented and executed by people (as opposed to systems). These controls are put in place to improve the security of a particular system (or group of systems). They often require technical or specialized expertise -- and often rely upon management activities as well as technical controls.

!  The Technical Controls section focuses on security controls that the computer system executes. These controls are dependent upon the proper functioning of the system for their effectiveness. The implementation of technical controls, however, always requires significant operational considerations -- and should be consistent with the management of security within the organization.

Finally, an example is presented to aid the reader in correlating some of the major topics discussed in the handbook. It describes a hypothetical system and discusses some of the controls that have been implemented to protect it. This section helps the reader better understand the decisions that must be made in securing a system, and illustrates the interrelationships among controls.

Definition of Sensitive Information

Many people think that sensitive information only requires protection from unauthorized disclosure. However, the Computer Security Act provides a much broader definition of the term "sensitive" information:

"any information, the loss, misuse, or unauthorized access to or modification of which could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy."

The above definition can be contrasted with the long-standing confidentiality-based information classification system for national security information (i.e., CONFIDENTIAL, SECRET, and TOP SECRET). This system is based only upon the need to protect classified information from unauthorized disclosure; the U.S. Government does not have a similar system for unclassified information. No government wide schemes (for either classified or unclassified information) exist which are based on the need to protect the integrity or availability of information.