FYI - Tech giants team up against new cyber-security law - A public protest has been issued against a controversial US cyber-security bill by some of the world's tech giants. Google, Facebook, Amazon and other major tech firms have teamed up against the Cyber-security Information Sharing Act (CISA) that is due to be laid out for consideration by the US Senate in the coming weeks. The CISA aims to share threat intelligence between private companies and the government. http://www.scmagazine.com/tech-giants-team-up-against-new-cyber-security-law/article/448101/

FYI - Army Cyber Command readies cyber units for the battlefield - U.S. soldiers may not charge into battle as they type away on their laptops attempting to fend off enemy cyberattacks any time too soon, but the U.S. Army Cyber Command is actively working on the role these troops will someday play on the battlefield. http://www.scmagazine.com/army-cyber-command-readies-cyber-units-for-the-battlefield/article/448011/

FYI - Insider sued for hacking Skunkwerks Software clients - A February cyberattack against clients of Vancouver, Canada-based Skunkwerks Software is being ascribed to a former employee, according to The Vancouver Sun. http://www.scmagazine.com/insider-sued-for-hacking-skunkwerks-software-clients/article/447419/

FYI - Healthcare providers must boost cyber defenses: Accenture - The continued digitization of the nation's healthcare system will place $305 billion worth of personal and medical information online and squarely in the crosshairs of cybercriminals in the next five years, according to a report by Accenture. http://www.scmagazine.com/healthcare-providers-must-boost-cyber-defenses-accenture/article/447695/

FYI - Report places a value to stolen data sold on the black market - While its no secret that stolen payment card information is valuable, researchers at Intel Security found the price of other types of stolen data sold on the digital black market can garner even larger sums. http://www.scmagazine.com/intel-security-puts-a-price-on-stolen-data-sold-on-the-black-market/article/447443/

FYI - Secret source code pronounces you guilty as charged - When a computer "spits out something, you'd like to know how it did it." The results from a Pennsylvania company's TrueAllele DNA testing software have been used in roughly 200 criminal cases, from California to Florida, helping put murderers and rapists in prison. http://arstechnica.com/tech-policy/2015/10/secret-source-code-pronounces-you-guilty-as-charged/

FYI - Former employee pleads guilty to deleting company files, disabling accounts - A former web developer with a Winchester-based company pleaded guilty to a federal computer crime on Wednesday in U.S. District Court for the Western District of Virginia. http://www.scmagazine.com/former-employee-pleads-guilty-to-deleting-company-files-disabling-accounts/article/448136/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hacking group stole credit card data of 150K casino customers - The personal information of 150,000 customers of an as-yet-unnamed casino was compromised following an incursion by the "Fin5" hacking group, according to The Register. http://www.scmagazine.com/hacking-group-stole-credit-card-data-of-150k-casino-customers/article/446251/

FYI - Payment card breach at Peppermill Resort Spa Casino in Reno - An undisclosed number of individuals are being notified that an attack may have compromised credit and debit cards used between October 2014 and February 2015 at the front desk of the Reno, Nev.-based Peppermill Resort Spa Casino. http://www.scmagazine.com/payment-card-breach-at-peppermill-resort-spa-casino-in-reno/article/447433/

FYI - Customs and Border Protection system computer problems cause airport delays - Major airports across the country experienced delays Wednesday night after problems with a Department of Homeland Security computer system caused problems at U.S. ports of entry, officials said. https://www.washingtonpost.com/blogs/dr-gridlock/wp/2015/10/14/customs-and-border-protection-system-computer-problems-cause-airport-delays/

FYI - Laptop theft affects thousands of OU Medicine patients - Roughly 9,300 individuals are being notified that a laptop containing personal information was stolen from a physician who formerly worked for the University of Oklahoma Department of Urology. http://www.scmagazine.com/laptop-theft-affects-thousands-of-ou-medicine-patients/article/447709/

FYI - Lloyds Group left thousands of accounts potentially open to attack - It's a case of customer service gone bad. Lloyds Banking Group, in a quest to simplify account signup and inter-operability between its brands, created a system that could be hacked by someone with virtually no IT skills. http://www.scmagazine.com/lloyds-group-left-thousands-of-accounts-potentially-open-to-attack/article/447518/

FYI - New details released on zoo POS breach - Service Systems Associates (SSA), a third party vendor that handles retail and concession payments, released new details of a point-of-sale (POS) breach that several zoos and museums across the country earlier this year. http://www.scmagazine.com/new-details-released-for-pos-breach-that-affected-10-zoos-and-museums-across-the-country/article/447694/

FYI - Hackers siphon off $31 million from British bank accounts - Crime agencies from across Europe partner with the FBI to investigate and shut down the spread of Dridex banking malware. Hackers have stolen more than £20 million ($31 million) from British online bank accounts using hostile, intrusive software that harvested user log-in details. http://www.cnet.com/news/hackers-siphon-off-31-million-from-british-bank-accounts/

FYI - High school student reportedly hacks CIA director's personal email - A high school student has claimed to have hacked the private email account of CIA Director John Brennan where the student found a number of sensitive, government-related files, according to a report in the New York Post. http://www.scmagazine.com/cia-director-brennans-personal-email-contained-sensitive-info-hacker-says/article/447996/

FYI - Dow Jones targeted by Russian hackers for trading information - A group of Russian hackers were reported to have hacked Dow Jones & Co. servers in pursuit of embargoed market-moving information more than a year ago. http://www.scmagazine.com/dow-jones-targeted-by-russian-hackers-for-trading-information/article/447972/

FYI - Community Catalysts of California notifies clients of flash drive theft - Community Catalysts of California is notifying more than a thousand current and former clients that the residence of an employee was burglarized and a flash drive containing their personal information was stolen. http://www.scmagazine.com/community-catalysts-of-california-notifies-clients-of-flash-drive-theft/article/447841/

FYI - Woods Hole Oceanographic Institution Says Hack Linked to China - Woods Hole Oceanographic Institution, a private, nonprofit facility that does scientific research on the world's oceans, says it was the target of an "aggressive" cyberattack it believes to have originated in China. http://www.nbcnews.com/tech/security/woods-hole-oceanographic-institution-says-hack-linked-china-n446226

FYI - Anonymous attacks two Japanese airports - In protest over the Japanese dolphin-hunting industry, Anonymous has launched DDoS attacks on two major Japanese airports. http://www.scmagazine.com/anonymous-attacks-two-japanese-airports/article/448102/

FYI - North Korean hackers breach South Korea's executive office servers - North Korean hackers accessed servers belonging to the Blue House, the executive office of South Korea, and stole data from computers belonging to members the nation's legislature, South Korea's intelligence agency has reported. http://www.scmagazine.com/north-korean-hackers-breach-south-koreas-executive-office-servers/article/448582/

FYI - EyeBuyDirect announces website breach, payment cards affected - An undisclosed number of individuals are being notified that unauthorized access was gained to EyeBuyDirect's website and personal information – including payment card data – may have been compromised. http://www.scmagazine.com/eyebuydirect-announces-website-breach-payment-cards-affected/article/448565/

FYI - Data accessible on internet, Salt Lake County sends out 14K notification letters - The Salt Lake County, Utah mayor's office has sent out approximately 14,000 notification letters to those whose data was exposed in an incident involving workers' compensation and other damage claims submitted to the County. http://www.scmagazine.com/data-accessible-on-internet-salt-lake-county-sends-out-14k-notification-letters/article/448843/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 2 of 10)
 
 A. RISK DISCUSSION
 
 Introduction
 
 Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.
 
 Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.
 
 Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we start a three part review of controls to prevent and detect intrusions.
 
 Management should determine the controls necessary to deter, detect, and respond to intrusions, consistent with the best practices of information system operators. Controls may include the following: 
 
 1) Authentication. Authentication provides identification by means of some previously agreed upon method, such as passwords and biometrics. (A method of identifying a person's identity by analyzing a unique physical attribute.) The means and strength of authentication should be commensurate with the risk. For instance, passwords should be of an appropriate length, character set, and lifespan (The lifespan of a password is the length of time the password allows access to the system. Generally speaking, shorter lifespans reduce the risk of password compromises.) for the systems being protected. Employees should be trained to recognize and respond to fraudulent attempts to compromise the integrity of security systems. This may include "social engineering" whereby intruders pose as authorized users to gain access to bank systems or customer records.
 
 2) Install and Update Systems. When a bank acquires and installs new or upgraded systems or equipment, it should review security parameters and settings to ensure that these are consistent with the intrusion risk assessment plan. For example, the bank should review user passwords and authorization levels for maintaining "separation of duties" and "need to know" policies. Once installed, security flaws to software and hardware should be identified and remediated through updates or "patches." Continuous monitoring and updating is essential to protect the bank from vulnerabilities. Information related to vulnerabilities and patches are typically available from the vendor, security-related web sites, and in bi-weekly National Infrastructure Protection Center's CyberNotes.
 
 3) Software Integrity. Copies of software and integrity checkers (An integrity checker uses logical analysis to identify whether a file has been changed.) are used to identify unauthorized changes to software. Banks should ensure the security of the integrity checklist and checking software. Where sufficient risk exists, the checklist and software should be stored away from the network, in a location where access is limited. Banks should also protect against viruses and other malicious software by using automated virus scanning software and frequently updating the signature file (The signature file contains the information necessary to identify each virus.) to enable identification of new viruses.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 2 - ELEMENTS OF COMPUTER SECURITY
 
 2.4 Computer Security Responsibilities and Accountability Should Be Made Explicit.
 
 The responsibilities and accountability of owners, providers, and users of computer systems and other parties concerned with the security of computer systems should be explicit. The assignment of responsibilities may be internal to an organization or may extend across organizational boundaries.
 
 Depending on the size of the organization, the program may be large or small, even a collateral duty of another management official. However, even small organizations can prepare a document that states organization policy and makes explicit computer security responsibilities. This element does not specify that individual accountability must be provided for on all systems. For example, many information dissemination systems do not require user identification and, therefore, cannot hold users accountable.
 
 2.5 Systems Owners Have Security Responsibilities Outside Their Own Organizations.
 
 If a system has external users, its owners have a responsibility to share appropriate knowledge about the existence and general extent of security measures so that other users can be confident that the system is adequately secure. (This does not imply that all systems must meet any minimum level of security, but does imply that system owners should inform their clients or users about the nature of the security.)
 
 In addition to sharing information about security, organization managers "should act in a timely, coordinated manner to prevent and to respond to breaches of security" to help prevent damage to others. However, taking such action should not jeopardize the security of systems.
 
 2.6 Computer Security Requires a Comprehensive and Integrated Approach.
 
 Providing effective computer security requires a comprehensive approach that considers a variety of areas both within and outside of the computer security field. This comprehensive approach extends throughout the entire information life cycle.
 
 2.6.1 Interdependencies of Security Controls
 
 To work effectively, security controls often depend upon the proper functioning of other controls. In fact, many such interdependencies exist. If appropriately chosen, managerial, operational, and technical controls can work together synergistically. On the other hand, without a firm understanding of the interdependencies of security controls, they can actually undermine one another. For example, without proper training on how and when to use a virus-detection package, the user may apply the package incorrectly and, therefore, ineffectively. As a result, the user may mistakenly believe that their system will always be virus-free and may inadvertently spread a virus. In reality, these interdependencies are usually more complicated and difficult to ascertain.
 
 2.6.2 Other Interdependencies
 
 The effectiveness of security controls also depends on such factors as system management, legal issues, quality assurance, and internal and management controls. Computer security needs to work with traditional security disciplines including physical and personnel security. Many other important interdependencies exist that are often unique to the organization or system environment. Managers should recognize how computer security relates to other areas of systems and organizational management.