FYI - "The FDIC does not require financial institutions we supervise to change penetration testing firms on a periodic basis. Any such decision would be up to bank management." You can find the complete letter at http://www.yennik.com/fdic_10-18-16_rotation_letter.pdf.

Is your web site compliant with the American Disability Act?  For the past 20 years, our bank web site audits have covered the ADA guidelines.  Help reduce any liability, please contact me for more information at examiner@yennik.com. 

Yahoo tells SEC it knew of network intrusion as far back as 2014 - In a filing with the Securities and Exchange Commission (SEC) on Wednesday, Yahoo admitted that some individuals within the company were aware of a network systems intrusion by a state-sponsored actor – one that ultimately led to the compromise of over 500 million accounts – shortly after the incident occurred in late 2014. https://www.scmagazine.com/yahoo-tells-sec-it-knew-of-network-intrusion-as-far-back-as-2014/article/572220/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Lansing, Mich., utility admits paying ransomware demand - Officials with the Lansing Board of Water & Light (BWL) publicly acknowledged on Tuesday that the utility paid a cybercriminal operation $25,000 to regain control of its accounting and email systems in the days following an April 25 ransomware attack. https://www.scmagazine.com/lansing-mich-utility-admits-paying-ransomware-demand/article/572180/

Former patients affected in Broward Health breach - Fort Lauderdale, Fla.-based Broward Health announced a breach that may have compromised patient data. https://www.scmagazine.com/former-patients-affected-in-broward-health-breach/article/572223/

Russian banks hit by cyber-attack - Five Russian banks have been under intermittent cyber-attack for two days, said the country's banking regulator. http://www.bbc.com/news/technology-37941216

Finns chilling as DDoS knocks out building control system - Hint: next time, buy a firewall before you're attacked - Residents in two apartment buildings in the Finnish town of Lappeenranta had a chill-out lasting more than a week after a DDoS attack battered unprotected building management systems. http://www.theregister.co.uk/2016/11/09/finns_chilling_as_ddos_knocks_out_building_control_system/

Capgemini leaks 780,000 Michael Page job candidate CVs - UK-based international recruitment firm Michael Page has had a database of 780,000 of its job applicants from around the world accidentally leaked by consulting firm Capgemini. https://www.scmagazine.com/capgemini-leaks-780000-michael-page-job-candidate-cvs/article/572506/

2,100 veterans PII sent in unencrypted email - More than 2,100 veterans in Colorado and Kansas received an unpleasant alert just in time for Veterans Day. https://www.scmagazine.com/2100-veterans-pii-sent-in-unencrypted-email/article/572630/

Biggest hack of 2016: 412 million FriendFinder Networks accounts exposed - More than 412 million user accounts have been exposed thanks FriendFinder Networks being hacked. The breach included 20 years of historical customer data from six compromised databases. http://computerworld.com/article/3141290/security/biggest-hack-of-2016-412-million-friendfinder-network-accounts-exposed.html

Baxter Credit Union email account compromised exposing customer data - The Baxter Credit Union (BCU), headquartered in Deerfield, Ill., reported that on October 11 it learned an employee email account had been compromised and used to send spam and other unsolicited emails. https://www.scmagazine.com/baxter-credit-union-email-account-compromised-exposing-customer-data/article/573468/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Risk management principles (Part 2 of 2)
 
 The Committee recognizes that banks will need to develop risk management processes appropriate for their individual risk profile, operational structure and corporate governance culture, as well as in conformance with the specific risk management requirements and policies set forth by the bank supervisors in their particular jurisdiction(s). Further, the numerous e-banking risk management practices identified in this Report, while representative of current industry sound practice, should not be considered to be all-inclusive or definitive, since many security controls and other risk management techniques continue to evolve rapidly to keep pace with new technologies and business applications.
 
 This Report does not attempt to dictate specific technical solutions to address particular risks or set technical standards relating to e-banking. Technical issues will need to be addressed on an on-going basis by both banking institutions and various standards-setting bodies as technology evolves. Further, as the industry continues to address e-banking technical issues, including security challenges, a variety of innovative and cost efficient risk management solutions are likely to emerge. These solutions are also likely to address issues related to the fact that banks differ in size, complexity and risk management culture and that jurisdictions differ in their legal and regulatory frameworks.
 
 For these reasons, the Committee does not believe that a "one size fits all" approach to e-banking risk management is appropriate, and it encourages the exchange of good practices and standards to address the additional risk dimensions posed by the e-banking delivery channel. In keeping with this supervisory philosophy, the risk management principles and sound practices identified in this Report are expected to be used as tools by national supervisors and implemented with adaptations to reflect specific national requirements where necessary, to help promote safe and secure e-banking activities and operations.
 
 The Committee recognizes that each bank's risk profile is different and requires a risk mitigation approach appropriate for the scale of the e-banking operations, the materiality of the risks present, and the willingness and ability of the institution to manage these risks. These differences imply that the risk management principles presented in this Report are intended to be flexible enough to be implemented by all relevant institutions across jurisdictions. National supervisors will assess the materiality of the risks related to e-banking activities present at a given bank and whether, and to what extent, the risk management principles for e-banking have been adequately met by the bank's risk management framework.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 SECURITY CONTROLS - IMPLEMENTATION - OPERATING SYSTEM ACCESS (Part 1 of 2)
 
 Financial institutions must control access to system software within the various network clients and servers as well as stand-alone systems. System software includes the operating system and system utilities. The computer operating system manages all of the other applications running on the computer. Common operating systems include IBM OS/400 and AIX, LINUX, various versions of Microsoft Windows, and Sun Solaris. Security administrators and IT auditors need to understand the common vulnerabilities and appropriate mitigation strategies for their operating systems. Application programs and data files interface through the operating system. System utilities are programs that perform repetitive functions such as creating, deleting, changing, or copying files. System utilities also could include numerous types of system management software that can supplement operating system functionality by supporting common system tasks such as security, system monitoring, or transaction processing.
 
 System software can provide high-level access to data and data processing. Unauthorized access could result in significant financial and operational losses. Financial institutions must restrict privileged access to sensitive operating systems. While many operating systems have integrated access control software, third - party security software is available for most operating systems. In the case of many mainframe systems, these programs are essential to ensure effective access control and can often integrate the security management of both the operating system and the applications. Network security software can allow institutions to improve the effectiveness of the administration and security policy compliance for a large number of servers often spanning multiple operating system environments. The critical aspects for access control software, whether included in the operating system or additional security software, are that management has the capability to:
 
 ! Restrict access to sensitive or critical system resources or processes and have the capability, depending on the sensitivity to extend protection at the program, file, record, or field level;
 ! Log user or program access to sensitive system resources including files, programs, processes, or operating system parameters; and
 ! Filter logs for potential security events and provide adequate reporting and alerting capabilities.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 Chapter 8 - SECURITY AND PLANNING IN THE COMPUTER SYSTEM LIFE CYCLE
 
 8.5 Interdependencies
 
 Like many management controls, life cycle planning relies upon other controls. Three closely linked control areas are policy, assurance, and risk management.
 
 Policy. The development of system-specific policy is an integral part of determining the security requirements.
 
 Assurance. Good life cycle management provides assurance that security is appropriately considered in system design and operation.
 
 Risk Management. The maintenance of security throughout the operational phase of a system is a process of risk management: analyzing risk, reducing risk, and monitoring safeguards. Risk assessment is a critical element in designing the security of systems and in reaccreditations.
 
 8.6 Cost Considerations
 
 Security is a factor throughout the life cycle of a system. Sometimes security choices are made by default, without anyone analyzing why choices are made; sometimes security choices are made carefully, based on analysis. The first case is likely to result in a system with poor security that is susceptible to many types of loss. In the second case, the cost of life cycle management should be much smaller than the losses avoided. The major cost considerations for life cycle management are personnel costs and some delays as the system progresses through the life cycle for completing analyses and reviews and obtaining management approvals.
 
 It is possible to overmanage a system: to spend more time planning, designing, and analyzing risk than is necessary. Planning, by itself, does not further the mission or business of an organization. Therefore, while security life cycle management can yield significant benefits, the effort should be commensurate with the system's size, complexity, and sensitivity and the risks associated with the system. In general, the higher the value of the system, the newer the system's architecture, technologies, and practices, and the worse the impact if the system security fails, the more effort should be spent on life cycle management.