FYI - Scottrade had no idea about data breach until the feds showed up - The breach affected around 4.6 million customers' names and addresses. When an organization gets hacked, ideally they'll realize it promptly and warn their users right away. http://www.pcworld.com/article/2988993/security/scottrade-had-no-idea-about-data-breach-until-the-feds-showed-up.html

FYI - Banks With Weak Cybersecurity Could Be Downgraded: S&P - Given banks' function as key nodes in the global financial system, S&P views banks as "natural targets facing a high threat of cyber-risk." Standard & Poor’s on Monday said that it could downgrade banks with weak cybersecurity, even if they haven’t been attacked. http://ww2.cfo.com/cyber-security-technology/2015/09/banks-weak-cybersecurity-downgraded-sp/

FYI - Into the spotlight: Cyberinsurance - Data that can be monetized is, simply put, a magnet for the bad guys. No matter whether your organization is big or small, if you have desirable data, you can no longer afford to wonder whether or not to invest in cybersecurity insurance. http://www.scmagazine.com/into-the-spotlight-cyberinsurance/article/443158/

FYI - Don't spend more, spend better: Interview with FireEye's Richard Turner - It's “the same but different” says Richard Turner, EMEA president of security company FireEye, characterising the company's most recent Advanced Threat Report. http://www.scmagazine.com/dont-spend-more-spend-better-interview-with-fireeyes-richard-turner/article/442703/

FYI - Early warning helped five Russian banks ward off DDoS attacks - Five Russian banks that experienced a distributed denial of service (DDoS) attack Sept. 26 believed to have been aimed at starting a bitcoin-related panic had been warned in advance by the General Directorate of Security and Information Protection of the country's Central Bank. http://www.scmagazine.com/ddos-attacks-on-russian-banks-reportedly-aimed-at-causing-bitcoin-panic/article/442842/

FYI - D.C. police sign non-disclosure with FBI to keep StingRay use private - Under a non-disclosure agreement with the Federal Bureau of Investigation (FBI), the Metropolitan Police Department in Washington, D.C., will keep its StingRay surveillance use private. http://www.scmagazine.com/fbi-dc-police-sign-agreement-over-stingray-use/article/442695/

FYI - Home Depot breach costs expected to reach billions - Owing to a slew of lawsuits filed by banks and credit unions, the expected cost to Home Depot for a cyber intrusion may reach into the billions, according to Insurance Business America (IBA). http://www.scmagazine.com/home-depot-breach-costs-expected-to-reach-billions/article/442849/

FYI - Cyber Security at Civil Nuclear Facilities: Understanding the Risks - The risk of a serious cyber attack on civil nuclear infrastructure is growing, as facilities become ever more reliant on digital systems and make increasing use of commercial ‘off-the-shelf’ software, according to a new Chatham House report. https://www.chathamhouse.org/publication/cyber-security-civil-nuclear-facilities-understanding-risks

FYI - California city mayor relinquishes electronics and passwords to agents at SFO [Updated] - Stockton, California Mayor Anthony R. Silva attended a recent mayor's conference in China, but his return trip took a bit longer than usual. At the San Francisco International Airport (SFO) this week, agents with the Department of Homeland Security detained Silva and confiscated his personal cell phone among other electronics. According to comments from the mayor, that may not even be the most alarming part. http://arstechnica.com/tech-policy/2015/10/small-town-mayor-relinquishes-electronics-and-passwords-to-agents-at-sfo/

FYI - DOD now requires contractors to report hacks - The Department of Defense (DOD) will require its biggest contractors to disclose certain cybersecurity breaches. http://thehill.com/policy/cybersecurity/255757-dod-now-requires-contractors-to-report-cyber-breaches

FYI - Average cost of cybercrime rises again in 2015 to $7.7 million - The cost of cybercrime rose yet again this year with the average global annualized cost coming out to $7.7 million, a new report from the Ponemon Institute and Hewlett Packard Enterprise indicates. http://www.scmagazine.com/ponemon-and-hp-release-annual-cybercrime-cost-study/article/443433/

FYI - Berkshire Hathaway Specialty Insurance enters cyberinsurance arena - Warren Buffet is not exactly launching the Geico gecko into the cyberinsurance space, but his Berkshire Hathaway Specialty Insurance division today did unveil two new polices targeted at this area. http://www.scmagazine.com/berkshire-hathaway-specialty-insurance-enters-cyberinsurance-arena/article/443419/

FYI - NIST seeks to secure, raise trustworthiness of email - The National Institute of Standards and Technology (NIST) unveiled two projects designed to secure email. http://www.scmagazine.com/nist-seeks-to-secure-raise-trustworthiness-of-email/article/443423/

FYI - Canadian military wants to hack cars - The Canadian Department of National Defence put a $825,000 contract up for bid to find a firm that will study how to hack an automobile and come up with a mitigating response. http://www.scmagazine.com/canadian-military-wants-to-hack-cars/article/443970/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Patreon thieves drop data, expose users' info all over web - 15GB file lifted from crowd-funding outfit hits dump sites - Attackers who compromised crowd-funding outfit Patreon have dumped its user data on various bin sites around the web. http://www.theregister.co.uk/2015/10/02/patreon_attackers_drop_data_expose_users/

FYI - Patreon's hack exposes data on 2.3 million users - Cybersecurity firm Detectify said it tried to warn crowdfunding platform Patreon that it was at risk of attack about five days before a hack exposed the personal information of 2,330,382 anonymous donors. http://www.scmagazine.com/patreons-hack-exposes-data-on-23-million-users/article/443518/

FYI - 15 MILLION T-Mobile US customer records swiped by hackers - Applied for a phone contract? Successful or not, you're boned - Experian's servers have been hacked – and now sensitive files on 15 million people who applied for T-Mobile US contracts have fallen into the wrong hands.
http://www.theregister.co.uk/2015/10/01/experian_tmobile_breach/
http://www.cnet.com/news/data-breach-snags-data-from-15m-t-mobile-customers/

FYI - State Trooper Vehicles Hacked - Car-hacking research initiative in Virginia shows how even older vehicles could be targeted in cyberattacks. state trooper responding to a call starts his vehicle, but is unable to shift the gear from park to drive. The engine RPMs suddenly spike and the engine accelerates, no foot on the pedal. Then the engine cuts off on its own.
http://www.darkreading.com/attacks-breaches/state-trooper-vehicles-hacked-/d/d-id/1322415
http://www.scmagazine.com/researchers-look-for-vulnerabilities-in-police-fleet-cars-to-defend-cyberattacks/article/442869/

FYI - Trump confirms carders raided Las Vegas hotel sales tills - Republican prez candidate a hit among thieves. Trump Hotel Collection has confirmed in a letter to customers that IT security at one of its Las Vegas hotels was breached. http://www.theregister.co.uk/2015/09/29/trump_confirms_carders_raided_las_vegas_hotel_point_of_sale_systems/

FYI - Scottrade breach affects roughly 4.6 million clients - Scottrade is notifying approximately 4.6 million clients that illegal activity occurred on its network and personal information may have been compromised. http://www.scmagazine.com/scottrade-breach-affects-roughly-46-million-clients/article/442872/

FYI - Scottrade Breach Hit 4.6 Million Customers, Began 2 Years Ago - Social Security numbers might have been exposed, but the main target appears to have been contact information. Today, Scottrade Inc. announced a breach of 4.6 million customer contact information records (and possibly Social Security numbers), resulting from an attack that occurred between late 2013 and early 2014. http://www.darkreading.com/risk/scottrade-breach-hit-46-million-customers-began-2-years-ago/d/d-id/1322470

FYI - Breach at the American Bankers Association exposes 6,400 emails and passwords - The American Bankers Association (ABA), based in Washington, D.C., is notifying more than 6,000 ABA shopping cart users of a breach that exposed their personal information. http://www.scmagazine.com/breach-at-the-american-bankers-association-exposes-6400-emails-and-passwords/article/443284/

FYI - Fake LinkedIn profiles, 'convincing' network linked to Iran-based group - The Counter Threat Unit (CTU), the Dell SecureWorks research team, uncovered an initiative by an Iran-based threat group it dubbed Threat Group 2889, to create a network of fake LinkedIn profiles for “obtaining confidential information they can use for cyber espionage purposes.” http://www.scmagazine.com/iran-threat-group-that-created-fake-linkedin-personas-likely-intent-on-cyberespionage/article/443718/

FYI - Sony hack's invasion of privacy still grates on CEO - Nearly a year after a crippling hack, the studio's boss says he was distressed by how some people combed leaked emails for embarrassing information. Almost a year after a massive hack crippled Sony Entertainment, it's still a sore subject with CEO Michael Lynton. http://www.cnet.com/news/sony-hacks-invasion-of-privacy-still-grates-on-ceo/

FYI - Samsung says customer payment data not affected by hack attack - A March attack was aimed at LoopPay, a payments company owned by Samsung, but the electronics giant insists customer data is safe. Customers who use the Samsung Pay mobile payments system weren't hurt by a hack attack on LoopPay, a company Samsung acquired to help power the service, the company said on Thursday. http://www.cnet.com/news/samsung-says-customer-payment-data-not-affected-by-hack-attack/

FYI - Report indicates Uber looking into Lyft employee as possible culprite in data breach - As Uber continues to investigate a data breach of its drivers database, Reuters came out with a report Thursday that claimed the car service's primary suspect is also its main rival: Lyft.  http://www.scmagazine.com/uber-connecting-the-dots-between-lyft-cto-and-drivers-database-breach-report-says/article/444006/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services

Due Diligence in Selecting a Service Provider - Oversight of Service Provider

Monitor Contract Compliance and Revision Needs

• Review invoices to assure proper charges for services rendered, the appropriateness of rate changes and new service charges.
• Periodically, review the service provider’s performance relative to service level agreements, determine whether other contractual terms and conditions are being met, and whether any revisions to service level expectations or other terms are needed given changes in the institution’s needs and technological developments.
• Maintain documents and records regarding contract compliance, revision and dispute resolution.

Maintain Business Resumption Contingency Plans

• Review the service provider’s business resumption contingency plans to ensure that any services considered mission critical for the institution can be restored within an acceptable timeframe.
• Review the service provider’s program for contingency plan testing. For many critical services, annual or more frequent tests of the contingency plan are typical.
• Ensure service provider interdependencies are considered for mission critical services and applications.

Return to the top of the newsletter

FFIEC IT SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks. 
 
 This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.
 
 The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC. 
 
 Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.1 Computer Security Supports the Mission of the Organization.
 
 The purpose of computer security is to protect an organization's valuable resources, such as information, hardware, and software. Through the selection and application of appropriate safeguards, security helps the organization's mission by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets. Unfortunately, security is sometimes viewed as thwarting the mission of the organization by imposing poorly selected, bothersome rules and procedures on users, managers, and systems. On the contrary, well-chosen security rules and procedures do not exist for their own sake -- they are put in place to protect important assets and thereby support the overall organizational mission.
 
 Security, therefore, is a means to an end and not an end in itself. For example, in a private- sector business, having good security is usually secondary to the need to make a profit. Security, then, ought to increase the firm's ability to make a profit. In a public-sector agency, security is usually secondary to the agency's service provided to citizens. Security, then, ought to help improve the service provided to the citizen.
 
 To act on this, managers need to understand both their organizational mission and how each information system supports that mission. After a system's role has been defined, the security requirements implicit in that role can be defined. Security can then be explicitly stated in terms of the organization's mission.
 
 The roles and functions of a system may not be constrained to a single organization. In an interorganizational system, each organization benefits from securing the system. For example, for electronic commerce to be successful, each of the participants requires security controls to protect their resources. However, good security on the buyer's system also benefits the seller; the buyer's system is less likely to be used for fraud or to be unavailable or otherwise negatively affect the seller. (The reverse is also true.)