FYI - Cybersecurity Awareness Resources - As part of the FDIC's Community Banking Initiative, the agency is adding to its cybersecurity awareness resources for financial institutions. These include a Cybersecurity Awareness video and three new vignettes for the Cyber Challenge, which consists of exercises that are intended to encourage discussions of operational risk issues and the potential impact of information technology disruptions on common banking functions. https://www.fdic.gov/news/news/financial/2015/fil15055.html

Tor wars: CMU says FBI came not with cash, but a subpoena - University has broken its silence, but will that quell the critics? Carnegie-Mellon University has fired back in the TOR war, saying that it wasn't paid by the FBI to reveal its de-anonymisation research outputs. http://www.theregister.co.uk/2015/11/19/tor_wars_cmu_says_fbi_came_not_with_cash_but_a_subpoena/

Sony hackers remained hidden for months due to a new toolset: Damballa - Researchers at Damballa have discovered a toolset that may have helped the Destover and Shamoon malware remain undetected when they used to hack Sony and Saudi Aramco. http://www.scmagazine.com/sony-hackers-remained-hidden-for-months-due-to-a-new-toolset-damballa/article/455696/

UK shoppers lose workday picking up aftermath of cyber-crime - More than 12 million Brits (20 percent) have been victimised by cyber-criminals this past year. UK consumers lost more than one full working day (nine hours) when dealing with the aftermath of online crime, costing roughly £134 each person or £1.6 billion across the country. http://www.scmagazine.com/uk-shoppers-lose-workday-picking-up-aftermath-of-cyber-crime/article/455699/

Critical infrastructure regulators need to improve cyber metrics - Despite closer ties and better teamwork between critical infrastructure providers and the federal agencies that help protect their systems from cyberattack, the government lacks a consistent way to gauge threats and security progress, according to a study by the Government Accountability Office.
https://fcw.com/articles/2015/11/20/rockwell-gao-infrastructure.aspx
http://www.scmagazine.com/critical-infrastructure-networks-lacking-in-performance-metrics/article/455684/

FDIC offers additional cybersecurity resources - New online educational tools to assist bank executives in defending against cybercrime have been added to the website of the FDIC (Federal Deposit Insurance Corporation), the independent government entity that insures depositor accounts in member banks, according to the ABA Banking Journal. http://www.scmagazine.com/fdic-offers-additional-cybersecurity-resources/article/455840/

Smart TVs not all that bright when it comes to fighting cyberthreats - Smart TVs are not being targeted by hackers right now, but a researcher at Symantec has noted that cybercriminals have a wide range of options if they wish to breach the average Smart TV. http://www.scmagazine.com/smart-tvs-not-all-that-bright-when-it-comes-to-fighting-cyberthreats/article/455832/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Starwood Hotels hit with POS malware - Starwood Hotels reported that malware implanted on the point-of-sale systems at several of its properties may have exposed customer credit card data.
http://www.scmagazine.com/starwood-hotels-hit-with-pos-malware/article/455395/
http://www.cnet.com/news/customers-at-sheraton-westin-other-hotels-hit-by-data-stealing-hack-attack/

IBM, Oracle, Cisco certification manager breached, info accessed - A data breach at Pearson VUE, the certification manager for Cisco, Oracle and IBM compromised the company's Credential Manager System and allowed unauthorized third-party access to data of “a limited set” of its users, Pearson VUE said in a Saturday statement. http://www.scmagazine.com/pearson-vue-acknowledges-breach-says-data-exposure-appears-limited/article/455566/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 7 of 10)
 
 B. RISK MANAGEMENT TECHNIQUES
 
 Planning Weblinking Relationships
 
 Agreements
 
 If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:
 
 1)  dissatisfied purchasers of third-party products or services;
 
 2)  patent or trademark holders for infringement by the third party; and
 
 3)  persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.
 
 The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.
 
 In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.
 
 Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations.  For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Suspicious Activity Reporting.
 
 National banks are required to report intrusions and other computer crimes to the OCC and law enforcement by filing a Suspicious Activity Report (SAR) form and submitting it to the Financial Crimes Enforcement Network (FinCEN), in accordance with 12 USC 21.11. This reporting obligation exists regardless of whether the institution has reported the intrusion to the information-sharing organizations discussed below. For purposes of the regulation and the SAR form instructions, an "intrusion" is defined as gaining access to the computer system of a financial institution to remove, steal, procure or otherwise affect information or funds of the institution or customers. It also includes actions that damage, disable, or otherwise affect critical systems of the institution. For example, distributed denial of service attaches (DDoS) attacks should be reported on a SAR because they may temporarily disable critical systems of financial institutions. 

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.
 
 3.5 Supporting Functions
 
 The security responsibilities of managers, technology providers and security officers are supported by functions normally assigned to others. Some of the more important of these are described below.
 
 Audit. Auditors are responsible for examining systems to see whether the system is meeting stated security requirements, including system and organization policies, and whether security controls are appropriate. Informal audits can be performed by those operating the system under review or, if impartiality is important, by outside auditors.
 
 Physical Security. The physical security office is usually responsible for developing and enforcing appropriate physical security controls, in consultation with computer security management, program and functional managers, and others, as appropriate. Physical security should address not only central computer installations, but also backup facilities and office environments. In the government, this office is often responsible for the processing of personnel background checks and security clearances.
 
 Disaster Recovery/Contingency Planning Staff. Some organizations have a separate disaster recovery/contingency planning staff. In this case, they are normally responsible for contingency planning for the organization as a whole, and normally work with program and functional mangers/application owners, the computer security staff, and others to obtain additional contingency planning support, as needed.
 
 Quality Assurance. Many organizations have established a quality assurance program to improve the products and services they provide to their customers. The quality officer should have a working knowledge of computer security and how it can be used to improve the quality of the program, for example, by improving the integrity of computer-based information, the availability of services, and the confidentiality of customer information, as appropriate.
 
 Procurement. The procurement office is responsible for ensuring that organizational procurements have been reviewed by appropriate officials. The procurement office cannot be responsible for ensuring that goods and services meet computer security expectations, because it lacks the technical expertise. Nevertheless, this office should be knowledgeable about computer security standards and should bring them to the attention of those requesting such technology.
 
 Training Office. An organization has to decide whether the primary responsibility for training users, operators, and managers in computer security rests with the training office or the computer security program office. In either case, the two organizations should work together to develop an effective training program.
 
 Personnel. The personnel office is normally the first point of contact in helping managers determine if a security background investigation is necessary for a particular position. The personnel and security offices normally work closely on issues involving background investigations. The personnel office may also be responsible for providing security-related exit procedures when employees leave an organization.
 
 Risk Management/Planning Staff. Some organizations have a full-time staff devoted to studying all types of risks to which the organization may be exposed. This function should include computer security-related risks, although this office normally focuses on "macro" issues. Specific risk analyses for specific computer systems is normally not performed by this office.
 
 Physical Plant. This office is responsible for ensuring the provision of such services as electrical power and environmental controls, necessary for the safe and secure operation of an organization's systems. Often they are augmented by separate medical, fire, hazardous waste, or life safety personnel.
 
 3.6 Users
 
 Users also have responsibilities for computer security. Two kinds of users, and their associated responsibilities, are described below.
 
 Users of Information. Individuals who use information provided by the computer can be considered the "consumers" of the applications. Sometimes they directly interact with the system (e.g., to generate a report on screen) -- in which case they are also users of the system (as discussed below). Other times, they may only read computer-prepared reports or only be briefed on such material. Some users of information may be very far removed from the computer system. Users of information are responsible for letting the functional mangers/application owners (or their representatives) know what their needs are for the protection of information, especially for its integrity and availability.
 
 Users of Systems. Individuals who directly use computer systems (typically via a keyboard) are responsible for following security procedures, for reporting security problems, and for attending required computer security and functional training.