FYI - Is your web site compliant with the American Disability Act?  For the past 20 years, our web site audits have included the guidelines of the ADA.  Help reduce any liability, please contact me for more information at examiner@yennik.com.

NIST study warns of security fatigue among users - Most web users are overwhelmed with warning of online threats and suffer from “security fatigue,” according to the National Institute of Standards and Technology (NIST). http://www.scmagazine.com/nist-study-warns-of-security-fatigue-among-users/article/527430/

Cybersecurity preparedness requires threat intelligence information sharing - Threat intelligence information sharing efforts have become increasingly important as breaches become more pervasive. Karen Epper Hoffman reports. http://www.scmagazine.com/cybersecurity-preparedness-requires-threat-intelligence-information-sharing/article/522661/

Russian anti-terrorism law allows security firms to hack Facebook Messenger, Skype, WhatsApp - A recently passed Russian law has given the country's security firms the green light to crack encrypted communication services including Facebook Messenger, Skype and WhatsApp. http://www.scmagazine.com/new-russian-law-encourages-firms-to-hack-encrypted-messaging-applications/article/527274/

Researchers send wireless logins through the human body - As security professionals continue to warn of serious threats facing mobile, wearable, Internet of Things (IoT), and medical devices, a team of researchers has developed a method of sending passwords through the human body that may assist in securing commodity devices. http://www.scmagazine.com/researchers-send-wireless-logins-through-the-human-body/article/527463/

TalkTalk fined £400,000 for theft of customer details - TalkTalk has been fined a record £400,000 for poor website security which led to the theft of the personal data of nearly 157,000 customers. http://www.bbc.com/news/business-37565367

Two Teenagers Arrested For Alleged Cyberattack-For-Hire Services - The American and Dutch suspects allegedly associated with 'Lizard Squad' hacking group also operated websites to launch DDoS attacks and traffic stolen payment card details. http://www.darkreading.com/attacks-breaches/two-teenagers-arrested-for-alleged-cyberattack-for-hire-services/d/d-id/1327112

Consumer cybersecurity concerns cost U.K. economy billions, study - U.K. consumers put their money where the security is as a recent study found 36 percent of them are more reluctant to use apps out of security concerns and their actions have cost the U.K. economy nearly $2.8 billion this year alone. http://www.scmagazine.com/uk-consumers-put-their-money-where-the-security-is/article/535656/

Europe to Push New Security Rules Amid IoT Mess - The European Commission is drafting new cybersecurity requirements to beef up security around so-called Internet of Things (IoT) devices such as Web-connected security cameras, routers and digital video recorders (DVRs). http://krebsonsecurity.com/2016/10/europe-to-push-new-security-rules-amid-iot-mess/

GAO - Health Care Quality: HHS Should Set Priorities and Comprehensively Plan Its Efforts to Better Align Health Quality Measures.
Report: http://www.gao.gov/products/GAO-17-5 
Highlights: http://www.gao.gov/assets/690/680432.pdf 

Top five email phishing attack lures revealed and how to prevent them - Phishing remains one of the top threats seen by organisations today. Threat actors use various social engineering tricks to convince users that their requests for information or money transfers are legitimate. http://www.scmagazine.com/top-five-email-phishing-attack-lures-revealed-and-how-to-prevent-them/article/546809/

Hype hampers understanding of cyber-security says Aussie government - A report by the Australian Cyber-Security Centre says that the misuse and over-hyping of cyber-security terms has hampered the public's ability to understand cyber-security issues. http://www.scmagazine.com/hype-hampers-understanding-of-cyber-security-says-aussie-government/article/547131/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - WordPress site hack highlights emerging 'Windows keys' redirect scam - Researchers at Sucuri are monitoring a rise in website compromises in which visitors are redirected to domains that offer to sell Windows product keys. http://www.scmagazine.com/wordpress-site-hack-highlights-emerging-windows-keys-redirect-scam/article/527277/

BuzzFeed hacked by OurMine - Following its exposé accusing OurMine of web defacements, the website BuzzFeed was itself hit. http://www.scmagazine.com/buzzfeed-hacked-by-ourmine/article/527278/

Email that hacked AZ voter registration looked like an employee, official says - The email that gave Russian hackers access to an Arizona registration base looked like it came from an employee, and any normal person would have clicked on it, Arizona Secretary of State Michele Reagan said Wednesday. http://www.cnbc.com/2016/10/05/email-that-hacked-az-voter-registration-looked-like-an-employee-said-official.html

Central Ohio Urology Group reports 300K records compromised - The Central Ohio Urology Group reported that in early August it became aware of an incident where an unauthorized posted patient and employee information to Twitter. http://www.scmagazine.com/central-ohio-urology-group-reports-300k-records-compromised/article/535653/

How France's TV5 was almost destroyed by 'Russian hackers' - TV5Monde was taken off air in April 2015. A group calling itself the Cyber Caliphate, linked to so-called Islamic State, first claimed responsibility. http://www.bbc.com/news/technology-37590375

J&J warns diabetic patients: Insulin pump vulnerable to hacking - Johnson & Johnson is telling patients that it has learned of a security vulnerability in one of its insulin pumps that a hacker could exploit to overdose diabetic patients with insulin, though it describes the risk as low. http://www.reuters.com/article/us-johnson-johnson-cyber-insulin-pumps-e-idUSKCN12411L

Data breach and ransomware hit Hutchinson Community Foundation - The Hutchinson Community Foundation in Kansas was hit with a data breach and ransomware attack. http://www.scmagazine.com/data-breach-and-ransomware-hit-hutchinson-community-foundation/article/546824/

Unsecured database lets hacker expose 58 million plus records from data management firm - A hacker scanning for unsecured databases was able to compromise at least 58.8 million records – and possibly as many as 258 million – from Modern Business Solutions (MBS), a data management and monetization firm primarily serving the automotive, employment and real-estate industries. http://www.scmagazine.com/unsecured-database-lets-hacker-expose-58-million-plus-records-from-data-management-firm/article/548357/

Malware behind payment card breach at University of Central Florida - A malware infection is to blame for a payment card data breach affecting at least 230 University of Central Florida students. http://www.scmagazine.com/malware-behind-payment-card-breach-at-university-of-central-florida/article/548176/

Potter County, Texas voter website hacked - Potter County, Texas officials are assuring users that their voter information website is safe after learning that hackers gained access to it. http://www.scmagazine.com/potter-county-tx-voting-information-site-breached/article/548185/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Security Controls 
 
 While the Board of Directors has the responsibility for ensuring that appropriate security control processes are in place for e-banking, the substance of these processes needs special management attention because of the enhanced security challenges posed by e-banking. This should include establishing appropriate authorization privileges and authentication measures, logical and physical access controls, adequate infrastructure security to maintain appropriate boundaries and restrictions on both internal and external user activities and data integrity of transactions, records and information. In addition, the existence of clear audit trails for all e-banking transactions should be ensured and measures to preserve confidentiality of key e-banking information should be appropriate with the sensitivity of such information. 
 
 Although customer protection and privacy regulations vary from jurisdiction to jurisdiction, banks generally have a clear responsibility to provide their customers with a level of comfort.  Regarding information disclosures, protection of customer data and business availability that approaches the level they can expect when using traditional banking distribution channels. To minimize legal and reputational risk associated with e-banking activities conducted both domestically and cross-border, banks should make adequate disclosure of information on their web sites and take appropriate measures to ensure adherence to customer privacy requirements applicable in the jurisdictions to which the bank is providing e-banking services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS
 
 Application - Level Firewalls
 
 Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.
 
 The primary disadvantages of application - level firewalls are:
 
 ! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.
 
 ! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.4.3 Implementation
 
 A separate implementation phase is not always specified in some life cycle planning efforts. (It is often incorporated into the end of development and acquisition or the beginning of operation and maintenance.) However, from a security point of view, a critical security activity, accreditation, occurs between development and the start of system operation. The other activities described in this section, turning on the controls and testing, are often incorporated at the end of the development/acquisition phase.
 
 8.4.3.1 Install/Turn-On Controls
 
 While obvious, this activity is often overlooked. When acquired, a system often comes with security features disabled. These need to be enabled and configured. For many systems this is a complex task requiring significant skills. Custom-developed systems may also require similar work.
 
 8.4.3.2 Security Testing
 
 System security testing includes both the testing of the particular parts of the system that have been developed or acquired and the testing of the entire system. Security management, physical facilities, personnel, procedures, the use of commercial or in-house services (such as networking services), and contingency planning are examples of areas that affect the security of the entire system, but may be specified outside of the development or acquisition cycle. Since only items within the development of acquisition cycle will have been tested during system acceptance testing, separate tests or reviews may need to be performed for these additional security elements.
 
 Security certification is a formal testing of the security safeguards implemented in the computer system to determine whether they meet applicable requirements and specifications. To provide more reliable technical information, certification is often performed by an independent reviewer, rather than by the people who designed the system.  (This is the type of independent testing we perform.  For more information visit http://www.internetbankingaudits.com/)