FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI -  FFIEC Releases Statement on Cyber Attacks Involving Extortion - The Federal Financial Institutions Examination Council members today issued a statement alerting financial institutions to the increasing frequency and severity of cyber attacks involving extortion. www.ffiec.gov/press/pr110315.htm

FYI -  FTC, LifeLock settlement could reach $116 million - The Identity theft protection firm LifeLock and the Federal Trade Commission (FTC) announced that they have reached a tentative settlement that should close out a five-year-long case over alleged deceptive business practices. http://www.scmagazine.com/ftc-lifelock-settlement-could-reach-116-million/article/450650/

FYI - Pentagon Creates Cybersecurity Exchange Program With Industry - The U.S. Defense Department is sending career personnel on tours with private cybersecurity companies and bringing in specialists from those companies to gain the skills necessary to defend military networks from hackers, the Pentagon’s chief information officer said. http://www.bloomberg.com/news/articles/2015-10-29/pentagon-creates-cybersecurity-exchange-program-with-industry

FYI - IRS tells Senate: We only use our stingrays with court orders - "It can only be used based on probable cause of criminal activity." The head of the Internal Revenue Service told a Senate committee on Tuesday that its stingrays are "only used in criminal investigations." http://arstechnica.com/tech-policy/2015/10/irs-tells-senate-we-only-use-our-stingrays-with-court-orders/

FYI - ENISA puts smart devices and IoT on top of European security agenda - EU infosec body broadens remit with funding into car, healthcare and airport IT security research. http://www.scmagazine.com/enisa-puts-smart-devices-and-iot-on-top-of-european-security-agenda/article/450202/

FYI - U.S. Air Force adds extra pay for cyberspace specialists - The U.S. Air Force has added cyber warfare operations as a job position eligible for special duty pay. http://www.scmagazine.com/us-air-force-adds-extra-pay-for-cyberspace-specialists/article/451182/

FYI - F-Secure launches bug bounty program with max reward valued at nearly $17,000 - F-Secure launched a bug bounty this past week, which could dole out max rewards amounting to approximately $16,527. http://www.scmagazine.com/f-secure-encourages-researchers-through-vulnerability-program/article/451210/

FYI - White House Issues Governmentwide Cyber Action - The White House on Friday issued a broad new plan designed to better respond to cybersecurity incidents such as those that exposed secrets on millions of citizens as well as government operations. http://www.nextgov.com/cybersecurity/2015/10/white-house-issues-governmentwide-cyber-action-plan/123302/

FYI - Which Navy N00bs Have a Gift for Stopping Hacks? - The Navy is preparing to experiment with an exam aimed at predicting the types of sailors capable of grasping cybersecurity skills without ever having picked up a book or keyboard. http://www.nextgov.com/cybersecurity/2015/10/pop-quiz-which-navy-n00bs-have-gift-stopping-hacks/123298/

FYI - Say What? Even the Experts Disagree on Cyber Terminology - The recent Office of Personnel Management cyber breach was not only a case of stolen federal employee and contractor data. It may also have been one of mistaken identity. http://www.nextgov.com/cybersecurity/2015/10/even-experts-dont-agree-definition-cyber-terms/123303/

FYI - Bank of England to test banks' security in operation Resilient Shield - As attacks on the UK's financial institutions increase, The Bank of England is getting ready to test out the bank's preparedness for such an event. http://www.scmagazine.com/bank-of-england-to-test-banks-security-in-operation-resilient-shield/article/451319/

FYI - Get used to it?: Mega breaches - Amid widespread cynicism about mass cybersecurity failures, IT security pros, analysts and vendors are scrambling to develop the strategies, technologies and tools to plug the leaks today and develop long-term approaches to prevent similar collapses in the future. http://www.scmagazine.com/get-used-to-it-mega-breaches/article/451889/

FYI - OPM appoints new cyber advisor - The U.S. Office of Personnel Management (OPM) appointed a new cyber and information advisor on Wednesday. http://www.scmagazine.com/clifton-triplett-takes-over-as-cyber-advisor-at-opm/article/451763/

FYI - OMB framework lays out privacy requirements for fed agencies - The privacy framework proposed by the Office of Management and Budget (OMB) is a “big, bold statement” by an influential government body, Trevor Hughes, president and CEO of the International Association of Privacy Professionals (IAPP), told SCMagazine.com Wednesday, that will hold federal agencies to some very specific and critical requirements to safeguard privacy. http://www.scmagazine.com/omb-framework-lays-out-privacy-requirements-for-fed-agencies/article/451811/

FYI - JPMorgan Chase CSO reportedly reassigned following data breach - JPMorgan Chase & Co.'s CSO was reportedly reassigned to a new position within the bank following the company's major data breach this past year. http://www.scmagazine.com/jim-cummings-receives-new-position-in-texas-after-bank-breach/article/452043/

FYI - Many U.K. workers willing to sell their company's IP: Study - Demonstrating that financial gain can be a motivator for nefarious activity, 35 percent of employees were willing to sell their firm's intellectual property if the price was right. http://www.scmagazine.com/many-uk-workers-willing-to-sell-their-companys-ip-study/article/452102/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - First National Bank of Omaha issuing new debit cards after large breach - The First National Bank of Omaha is issuing new debit cards to customers in seven states after a large data breach at an unidentified national firm. http://www.scmagazine.com/first-national-bank-of-omaha-issuing-new-debit-cards-to-customers-in-seven-states/article/450688/

FYI - Almost 2,000 Vodafoners open to fraud after details stolen - Telecoms provider Vodafone has reported that nearly 2,000 of its customers have had their details accessed. According to Vodafone, the incident happened between Wednesday and Thursday last week.
http://www.scmagazine.com/human-error-cited-as-leading-contributor-to-breaches-study-shows/article/451225/
http://www.zdnet.com/article/vodafone-admits-hack-customer-bank-details-stolen/

FYI - License Plate Readers Exposed! How Public Safety Agencies Responded to Major Vulnerabilities in Vehicle Surveillance Tech - Law enforcement agencies around the country have been all too eager to adopt mass surveillance technologies, but sometimes they have put little effort into ensuring the systems are secure and the sensitive data they collect on everyday people is protected. https://www.eff.org/deeplinks/2015/10/license-plate-readers-exposed-how-public-safety-agencies-responded-massive

FYI - Salt Lake schools hit with DDoS attack - The Salt Lake City School District was struck by a DDoS attack last Friday that brought down the district's website, phone system and online administrative tools. http://www.scmagazine.com/salt-lake-schools-hit-with-ddos-attack/article/451480/

FYI - User data compromised in breach of vBulletin - All passwords have been reset for users of vBulletin software, used for website forums, following a breach that compromised the personally identifiable information of nearly 480,000 subscribers, according to ars technica. http://www.scmagazine.com/user-data-compromised-in-breach-of-vbulletin/article/451640/

FYI - Utah student information compromised over six-year period - The Utah State Office of Education discovered student information was compromised over the last six years. http://www.scmagazine.com/utah-student-information-compromised-over-six-year-period/article/452046/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)
 
 A. RISK DISCUSSION
 
 Reputation Risk
 
 Trade Names
 
 If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.
 
 Website Appearance
 
 The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.
 
 Compliance Risk
 
 The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).
 
 The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.
 
 8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.
 
 9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs. 
 
 10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.
 
 11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 3 - Roles and Responsibilities
 
 One fundamental issue that arises in discussions of computer security is: "Whose responsibility is it?" Of course, on a basic level the answer is simple: computer security is the responsibility of everyone who can affect the security of a computer system. However, the specific duties and responsibilities of various individuals and organizational entities vary considerably.
 
 This chapter presents a brief overview of roles and responsibilities of the various officials and organizational offices typically involved with computer security. They include the following groups:
 
 1)  senior management,
 
 2)  program/functional managers/application owners,
 
 3)  computer security management,
 
 4)  technology providers,
 
 5)  supporting organizations, and
 
 6)  users.
 
 This chapter is intended to give the reader a basic familiarity with the major organizational elements that play a role in computer security. It does not describe all responsibilities of each in detail, nor will this chapter apply uniformly to all organizations. Organizations, like individuals, have unique characteristics, and no single template can apply to all. Smaller organizations, in particular, are not likely to have separate individuals performing many of the functions described in this chapter. Even at some larger organizations, some of the duties described in this chapter may not be staffed with full-time personnel. What is important is that these functions be handled in a manner appropriate for the organization.  As with the rest of the handbook, this chapter is not intended to be used as an audit guide.
 
 3.1 Senior Management - Senior management has ultimate responsibility for the security of an organization's computer systems.
 
 Ultimately, responsibility for the success of an organization lies with its senior managers. They establish the organization's computer security program and its overall program goals, objectives, and priorities in order to support the mission of the organization. Ultimately, the head of the organization is responsible for ensuring that adequate resources are applied to the program and that it is successful. Senior managers are also responsible for setting a good example for their employees by following all applicable security practices.