FYI - Our cybersecurity testing meets the independent pen-test requirements outlined in the FFIEC Information Security booklet as well as the penetration study complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing.  Independent pen-testing is part of any financial institution's cybersecurity defense.  To receive due diligence information, agreement and, cost saving fees, please complete the information form at https://yennik.com/forms-vista-info/external_vista_info_form.htm.  All communication is kept strictly confidential.

FYI - Updated FFIEC Management Booklet Part of IT Examination Handbook Series - The Federal Financial Institutions Examination Council (FFIEC) has issued a revised "Management" booklet that provides guidance to assist examiners in evaluating the information technology (IT) governance at financial institutions and service providers. The booklet is part of the IT Examination Handbook series.  https://www.fdic.gov/news/news/financial/2015/fil15054.html

FYI - 70% of Brits don't think email is a potential cyber-threat - Over two thirds (69 percent) of British respondents to a recent survey are unaware that they could be vulnerable to cyber-attack simply by opening an email. http://www.scmagazine.com/70-of-brits-dont-think-email-is-a-potential-cyber-threat/article/454986/

FYI - Insider threat more dangerous than external risks - While external threats present an ever-present risk for large and small enterprises, according to a newly released report, the actions of a company's own employees, suppliers and partners pose more of an immediate danger. http://www.scmagazine.com/report-insider-threat-more-dangerous-than-external-risks/article/455117/

FYI - U.S. and U.K. Test Response to Major Financial Cyberattack - Britain and the United States carried out a planned drill with leading global firms on Thursday to see how they would respond to a cyber incident in the financial sector. http://www.nbcnews.com/tech/security/u-s-u-k-test-response-major-financial-cyberattack-n462406

FYI - It’s Way Too Easy to Hack the Hospital - Firewalls and medical devices are extremely vulnerable, and everyone’s pointing fingers. http://www.bloomberg.com/features/2015-hospital-hack/

FYI - Oil & Gas cyber-vulnerabilities - There is no air gap between IT and OT that was the key message for oil and gas sector CISOs coming out of the Black Hat Amsterdam talk. http://www.scmagazine.com/black-hat-amsterdam-oil-gas-cyber-vulnerabilities/article/453467/

FYI - Tor alleges FBI paid Carnegie Mellon $1M to hack hidden services - The Tor Project is alleging that the Federal Bureau of Investigation (FBI) paid Carnegie Mellon University (CMU) researchers $1 million to attack Tor's hidden services last year.
http://www.scmagazine.com/tor-alleges-fbi-paid-carnegie-mellon-1m-to-hack-hidden-services/article/453586/
http://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmask-users/

FYI - Former parking ticket bloke turns out to be cybersecurity genius - Newcastle man posts impressively high score on infosec guru course - Mr. Bradley, who spent the last 15 years processing car parking fines for Newcastle City Council, is set to become one of the UK's top cyber professionals after achieving one of the highest ever scores in the internationally recognised GIAC cyber security qualifications. http://www.theregister.co.uk/2015/11/11/newcastle_parking_clerk_cybersecurity_genius_sans_academy/

FYI - How extorted e-mail provider got back online after crippling DDoS attack - Hint: It had nothing to do with the $6,000 ransom it paid to the Armada Collective. http://arstechnica.com/security/2015/11/how-extorted-e-mail-provider-got-back-online-after-crippling-ddos-attack/

FYI - Pentagon purges HTML from .mil emails - The Pentagon is tightening the screws on its campaign to improve email security. A department-wide policy will soon be in effect to render Web links unclickable in emails to .mil addresses, Richard Hale, DOD deputy CIO for cybersecurity, told FCW. https://fcw.com/articles/2015/11/12/dot-mil-blocks-links.aspx

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers compromise 70 million prison inmate phone records - An estimated 70 million phone calls made by prisoners in the United States have been hacked and leaked to The Intercept. http://www.scmagazine.com/hackers-compromise-70-million-prison-inmate-phone-records/article/453355/

FYI - Comcast to reset 200K passwords after accounts compromised - Comcast is resetting thousands of customer passwords after their account information was spotted being marketed for up to $1,000 on a dark web site.
http://www.scmagazine.com/comcast-resetting-customer-passwords-after-account-info-found-on-dark-web/article/452886/
http://www.cnet.com/news/hackers-sale-of-comcast-log-ins-reminds-us-to-change-our-password-habits/

FYI - Third-party Instagram app pulled after stealing passwords - The app, called InstaAlert, was snagging usernames and passwords and sending them to a remote server, according to the developer who spotted it. http://www.cnet.com/news/third-party-instagram-app-pulled-after-stealing-passwords/

FYI - Police body cams found pre-installed with notorious Conficker worm - One of the world's most prolific pieces of malware is found in cams from Martel. One of the world's most prolific computer worms has been found infecting several police body cameras that were sent to security researchers, the researchers reported. http://arstechnica.com/security/2015/11/police-body-cams-found-pre-installed-with-notorious-conficker-worm/

FYI - A 23-year-old Windows 3.1 system failure crashed Paris airport - Some of the most important networks and systems today are woefully outdated. And that isn't always a bad thing. http://www.zdnet.com/article/a-23-year-old-windows-3-1-system-failure-crashed-paris-airport/

FYI - Georgia office leaks data on six million voters - A lawsuit filed on Tuesday in Fulton County Superior Court, Georgia, alleges that the office of Secretary of State Brian Kemp released personal identifying information (PII) of Georgia voters to 12 organizations, including statewide political parties and news media. http://www.scmagazine.com/georgia-office-leaks-data-on-six-million-voters/article/455130/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 6 of 10)
 
 B. RISK MANAGEMENT TECHNIQUES
 
 Planning Weblinking Relationships
 
 Due Diligence
 
 A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party.  Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Gathering and Retaining Intrusion Information.
 
 Particular care should be taken when gathering intrusion information. The OCC expects management to clearly assess the tradeoff between enabling an easier recovery by gathering information about an intruder and the risk that an intruder will inflict additional damage while that information is being gathered. Management should establish and communicate procedures and guidelines to employees through policies, procedures, and training. Intrusion evidence should be maintained in a fashion that enables recovery while facilitating subsequent actions by law enforcement. Legal chain of custody requirements must be considered. In general, legal chain of custody requirements address controlling and securing evidence from the time of the intrusion until it is turned over to law enforcement personnel. Chain of custody actions, and those actions that should be guarded against, should be identified and embodied in the bank's policies, procedures, and training.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 3.4 Technology Providers
 
 System Management/System Administrators. These personnel are the managers and technicians who design and operate computer systems. They are responsible for implementing technical security on computer systems and for being familiar with security technology that relates to their system. They also need to ensure the continuity of their services to meet the needs of functional managers as well as analyzing technical vulnerabilities in their systems (and their security implications). They are often a part of a larger Information Resources Management (IRM) organization.
 
 Communications / Telecommunications Staff. This office is normally responsible for providing communications services, including voice, data, video, and fax service. Their responsibilities for communication systems are similar to those that systems management officials have for their systems. The staff may not be separate from other technology service providers or the IRM office.
 
 System Security Manager/Officers. Often assisting system management officials in this effort is a system security manager/officer responsible for day-to-day security implementation / administration duties. Although not normally part of the computer security program management office, this officer is responsible for coordinating the security efforts of a particular system(s). This person works closely with system management personnel, the computer security program manager, and the program or functional manager's security officer. In fact, depending upon the organization, this may be the same individual as the program or functional manager's security officer. This person may or may not be a part of the organization's overall security office.
 
 Help Desk. Whether or not a Help Desk is tasked with incident handling, it needs to be able to recognize security incidents and refer the caller to the appropriate person or organization for a response.
 
 Who Should Be the Accrediting Official? (Note that accreditation is a formality unique to the government.)
 
 The Accrediting Officials are agency officials who have authority to accept an application's security safeguards and approve a system for operation. The Accrediting Officials must also be authorized to allocate resources to achieve acceptable security and to remedy security deficiencies. Without this authority, they cannot realistically take responsibility for the accreditation decision. In general, Accreditors are senior officials, who may be the Program or Function Manager/Application Owner. For some very sensitive applications, the Senior Executive Officer is appropriate as an Accrediting Official. In general, the more sensitive the application, the higher the Accrediting Officials are in the organization.
 
 Where privacy is a concern, federal managers can be held personally liable for security inadequacies. The issuing of the accreditation statement fixes security responsibility, thus making explicit a responsibility that might otherwise be implicit. Accreditors should consult the agency general counsel to determine their personal security liabilities.