FYI - California cops, want to use a stingray? Get a warrant, governor says - On Thursday, California Governor Jerry Brown signed a bill into law that requires police get a warrant to use a stingray during investigations. The devices, which are also known as cell-site simulators, are usually used to locate a phone but can also in some cases intercept calls and text messages.
http://arstechnica.com/tech-policy/2015/10/california-governor-signs-new-law-mandating-warrant-for-stingray-use/
http://www.scmagazine.com/california-signs-california-electronic-communications-privacy-act-into-law/article/444278/

FYI - What’s in a Boarding Pass Barcode? A Lot - The next time you’re thinking of throwing away a used boarding pass with a barcode on it, consider tossing the boarding pass into a document shredder instead. http://krebsonsecurity.com/2015/10/whats-in-a-boarding-pass-barcode-a-lot/

FYI - Computer attack insurance rates rise after high-profile breaches - Hacks of Sony, Target, Home Depot and major health insurers have made it more expensive to cope with data theft, Reuters reports. Just as you safeguard your home with insurance, companies get insurance to cover any problems with customer and corporate data. http://www.cnet.com/news/computer-attack-insurance-rates-rise-after-high-profile-breaches/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - LoopPay hackers may have wanted magnetic card-swipe tech - Backwards-compatible feature used for old cash registers - Samsung’s mobile payment system supplier, LoopPay, was hacked back in March this year, it has emerged. http://www.theregister.co.uk/2015/10/08/looppay_breach_samsung_pay_hackers_codoso_china/

FYI - After USPS Phishing Hack, Audit Shows Postal Workers Still Click on Links - Months after a suspected malicious email attack breached U.S. Postal Service personnel data, a quarter of agency employees fell for a simulated email scheme, according to an internal watchdog. http://www.nextgov.com/cybersecurity/2015/10/after-usps-phishing-hack-audit-shows-postal-workers-still-click-links/122639/

FYI - Dow Jones & Co. breached, current and former subscribers contacted - Hackers broke into Dow Jones & Co. systems and were able to access information on fewer than 3,500 of the company's current and former subscribers. http://www.scmagazine.com/dow-jones-co-breached-current-and-former-subscribers-contacted/article/444422/

FYI - E-Trade notifies 31,000 customers that their contact info may have been breached in 2013 hack - Financial services company E-Trade notified about 31,000 customers this week that some of their personal information may have been accessed during a cyberattack in late 2013. https://www.washingtonpost.com/news/the-switch/wp/2015/10/09/e-trade-notifies-31000-customers-that-their-contact-info-may-have-been-breached-in-2013-hack/

FYI - Dow Jones breached in hacking campaign - In a letter sent to customers, the financial information company said there is no evidence that data was stolen but that the hackers may also have accessed credit card information of fewer than 3,500 individuals. http://thehill.com/policy/cybersecurity/256647-dow-jones-breached-as-part-of-larger-hacking-campaign

FYI - No evidence hackers caused flight delays - Southwest Airlines said there is no evidence that a cybersecurity breach led to the technical failures that delayed flights and stranded passengers across the country on Sunday. http://thehill.com/policy/cybersecurity/256676-southwest-no-evidence-hackers-caused-flight-delays

FYI - Cyber Attack on South Korean Subway System Could Be a Sign of Nastier Things to Come - A South Korean legislator revealed this week that a report from the country's intelligence service suggested that the North Korean government might have been behind a hack of the Seoul Metro system last year that lasted several months. https://news.vice.com/article/cyber-attack-on-south-korean-subway-system-could-be-a-sign-of-nastier-things-to-come

FYI - Email incident affects 9,400 Schwab Retirement Plan Services participants - Schwab Retirement Plan Services (SRPS) is notifying approximately 9,400 plan participants that a spreadsheet containing their personal information was accidentally emailed to a participant in another retirement plan serviced by SRPS. http://www.scmagazine.com/email-incident-affects-9400-schwab-retirement-plan-services-participants/article/444729/

FYI - Credit card numbers compromised in America's Thrift Store data breach - America's Thrift Stores reported a breach that compromised credit card information for an unknown number of its customers who shopped at the 18-store chain in September 2015. http://www.scmagazine.com/credit-card-numbers-compromised-in-americas-thrift-store-data-breach/article/444880/

FYI - Uber exposes nearly 1,000 of its driver's personal documents - Uber accidentally exposed the personal information of hundreds of U.S. drivers during the Tuesday release of its “Uber Partner app.” http://www.scmagazine.com/uber-accidentally-leaks-nearly-1000-documents-belonging-to-more-than-600-drivers/article/445142/

FYI - Hackers siphon off $31 million from British bank accounts - Crime agencies from across Europe partner with the FBI to investigate and shut down the spread of Dridex banking malware. Hackers have stolen more than £20 million ($31 million) from British online bank accounts using hostile, intrusive software that harvested user log-in details. http://www.cnet.com/news/hackers-siphon-off-31-million-from-british-bank-accounts/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

• customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
• customer dissatisfaction with the quality of products or services obtained from a third party; and
• customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review security strategies and plans. 
 
 Senior management and the board of directors are responsible for overseeing the development and implementation of their bank's security strategy and plan. Key elements to be included in those strategies and plans are an intrusion risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. These elements are needed for both internal and outsourced operations.
 
 The first step in managing the risks of intrusions is to assess the effects that intrusions could have on the institution. Effects may include direct dollar loss, damaged reputation, improper disclosure, lawsuits, or regulatory sanctions. In assessing the risks, management should gather information from multiple sources, including (1) the value and sensitivity of the data and processes to be protected, (2) current and planned protection strategies, (3) potential threats, and (4) the vulnerabilities present in the network environment. Once information is collected, management should identify threats and the likelihood of those threats materializing, rank critical information assets and operations, and estimate potential damage.
 
 The analysis should be used to develop an intrusion protection strategy and risk management plan. The intrusion protection strategy and risk management plan should be consistent with the bank's information security objectives. It also should balance the cost of implementing adequate security controls with the bank's risk tolerance and profile. The plan should be implemented within a reasonable time. Management should document this information, its analysis of the information, and decisions in forming the protection strategy and risk management plan. By documenting this information, management can better control the assessment process and facilitate future risk assessments.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.2 Computer Security is an Integral Element of Sound Management.
 
 Information and computer systems are often critical assets that support the mission of an organization. Protecting them can be as critical as protecting other organizational resources, such as money, physical assets, or employees.
 
 However, including security considerations in the management of information and computers does not completely eliminate the possibility that these assets will be harmed. Ultimately, organization managers have to decide what the level of risk they are willing to accept, taking into account the cost of security controls.
 
 As with many other resources, the management of information and computers may transcend organizational boundaries. When an organization's information and computer systems are linked with external systems, management's responsibilities also extend beyond the organization. This may require that management (1) know what general level or type of security is employed on the external system(s) or (2) seek assurance that the external system provides adequate security for the using organization's needs.
 
 2.3 Computer Security Should Be Cost-Effective.
 
 The costs and benefits of security should be carefully examined in both monetary and non-monetary terms to ensure that the cost of controls does not exceed expected benefits. Security should be appropriate and proportionate to the value of and degree of reliance on the computer systems and to the severity, probability and extent of potential harm. Requirements for security vary, depending upon the particular computer system.
 
 In general, security is a smart business practice. By investing in security measures, an organization can reduce the frequency and severity of computer security-related losses. For example, an organization may estimate that it is experiencing significant losses per year in inventory through fraudulent manipulation of its computer system. Security measures, such as an improved access control system, may significantly reduce the loss.
 
 Moreover, a sound security program can thwart hackers and can reduce the frequency of viruses. Elimination of these kinds of threats can reduce unfavorable publicity as well as increase morale and productivity.
 
 Security benefits, however, do have both direct and indirect costs. Direct costs include purchasing, installing, and administering security measures, such as access control software or fire-suppression systems. Additionally, security measures can sometimes affect system performance, employee morale, or retraining requirements. All of these have to be considered in addition to the basic cost of the control itself. In many cases, these additional costs may well exceed the initial cost of the control (as is often seen, for example, in the costs of administering an access control package). Solutions to security problems should not be chosen if they cost more, directly or indirectly, than simply tolerating the problem.