FYI - Australian official: Hackers stole documents on spy planes and warships - Hackers breached a contractor for Australia's Department of Defence and stole documents containing information about next-generation spy planes and naval warships, a government official publicly disclosed. https://www.scmagazine.com/australian-official-hackers-stole-documents-on-spy-planes-and-warships/article/699433/

Bill legalizing hacking back introduced in the House - Reps. Tom Graves, R-Ga., and Kyrsten Sinema, D-Az., today introduced the Active Cyber Defense Bill which if passed would give individuals and companies hit with a cyberattack the legal authority to hack back against their assailant. https://www.scmagazine.com/bill-legalizing-hacking-back-introduced-in-the-house/article/700220/

Oilpro.com founder sentenced to prison after pleading guilty for hacking competitor - The founder of a professional networking site was sentenced to a year and one day in prison after hacking into a competitor's database and attempting to sell his site to the same company whose database he hacked. https://www.scmagazine.com/the-oilprocom-founder-hacked-a-competitors-database-to-boost-own-companys-value/article/699598/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Another AWS leak exposes 150,000 Patient Home Monitoring Corp. client records - Another publicly accessible Amazon S3 repository has been once again been left exposing sensitive consumer information, this time affecting approximately 150,000 U.S. patients. https://www.scmagazine.com/patient-home-monitoring-corp-exposed-475-gb-worth-of-patient-data/article/699640/

Hyatt Hotels reports POS data breach - Hyatt Hotels announced today a point of sale (POS) breach that impacted several dozen of the company's locations between March and July 2017. https://www.scmagazine.com/hyatt-hotels-reports-pos-data-breach/article/699932/

KU student expelled after using Keystroke logger to change grades - A University of Kansas student was expelled from the school after allegedly changing his grades from an "F" to an "A" using information he obtained via a keystroke logger. https://www.scmagazine.com/ku-student-used-keystroke-logger-to-change-grades/article/700036/

DDoS attacks delay trains, stymie transportation services in Sweden - A series of distributed of denial of service attacks aimed at Sweden's transportation services caused train delays and disrupted over travel service earlier this week. https://www.scmagazine.com/ddos-attacks-delay-trains-stymie-transportation-services-in-sweden/article/700227/

Delayed delivery? Pizza Hut waits two weeks to disclose payment card data breach - Any way you slice it, it's not great news for Pizza Hut customers who learned on Saturday their personal data was stolen during an Oct. 1-2 breach of the Italian food chain's website. https://www.scmagazine.com/delayed-delivery-pizza-hut-waits-two-weeks-to-disclose-payment-card-data-breach/article/700533/

We Heart It breached, 8 million affected - The online image sharing website We Heart It told its members late last week that more than 8 million of its accounts were compromised in a data breach that took place four years ago. https://www.scmagazine.com/we-heart-it-breached-8-million-affected/article/700874/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 2 of 4)

Risk Assessment

The board of directors and senior management are responsible for understanding the risks associated with outsourcing arrangements for technology services and ensuring that effective risk management practices are in place. As part of this responsibility, the board and management should assess how the outsourcing arrangement will support the institution’s objectives and strategic plans and how the service provider’s relationship will be managed. Without an effective risk assessment phase, outsourcing technology services may be inconsistent with the institution’s strategic plans, too costly, or introduce unforeseen risks.

Outsourcing of information and transaction processing and settlement activities involves risks that are similar to the risks that arise when these functions are performed internally. Risks include threats to security, availability and integrity of systems and resources, confidentiality of information, and regulatory compliance. In addition, the nature of the service provided, such as bill payment, funds transfer, or emerging electronic services, may result in entities performing transactions on behalf of the institution, such as collection or disbursement of funds, that can increase the levels of credit, liquidity, transaction, and reputation risks.

Management should consider additional risk management controls when services involve the use of the Internet. The broad geographic reach, ease of access, and anonymity of the Internet require close attention to maintaining secure systems, intrusion detection and reporting systems, and customer authentication, verification, and authorization. Institutions should also understand that the potential risks introduced are a function of a system’s structure, design and controls and not necessarily the volume of activity.

An outsourcing risk assessment should consider the following:  

• Strategic goals, objectives, and business needs of the financial institution.
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial institution.
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service provider.
• Contingency plans, including availability of alternative service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines affected and technologies used.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.
 
 SECURITY TESTING - OUTSOURCED SYSTEMS
 
 Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 13 - AWARENESS, TRAINING, AND EDUCATION
 
 13.1 Behavior
 
 People are a crucial factor in ensuring the security of computer systems and valuable information resources. Human actions account for a far greater degree of computer-related loss than all other sources combined. Of such losses, the actions of an organization's insiders normally cause far more harm than the actions of outsiders. (Chapter 4 discusses the major sources of computer-related loss.)
 
 The major causes of loss due to an organization's own employees are: errors and omissions, fraud, and actions by disgruntled employees. One principal purpose of security awareness, training, and education is to reduce errors and omissions. However, it can also reduce fraud and unauthorized activity by disgruntled employees by increasing employees' knowledge of their accountability and the penalties associated with such actions.
 
 Management sets the example for behavior within an organization. If employees know that management does not care about security, no training class teaching the importance of security and imparting valuable skills can be truly effective. This "tone from the top" has myriad effects an organization's security program.